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Preface 


Welcome to the Trend Micro™ Mobile Security for Enterprise 8.0 Installation and 
Deployment Guide. This guide assists administrators in deploying and managing Mobile 
Security for Enterprise 8.0. This guide describes various Mobile Security components 
and the different mobile device agent deployment methods. 


For updated information about Mobile Security, including mobile device support and the 
latest builds, visit 
http://us.trendmicro.com/us/products/enterprise/mobile-security/index.html. 








Note: This Installation and Deployment Guide applies only to Mobile Security version 8.0. It 
does not apply to other versions of Mobile Security. Trend Micro support is limited to 
the use of Mobile Security. To obtain support for third-party applications mentioned 
in this guide, contact their corresponding vendors. 





This preface discusses the following topics: 
e Audience on page iv 
+ Mobile Security Documentation on page iv 


°- Document Conventions on page v 
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Audience 


The Mobile Security documentation is intended for both administrators—who are 
responsible for administering and managing Mobile Security devices in enterprise 
environments—and device users. 


Administrators should have an intermediate to advanced knowledge of Windows system 
administration and mobile device policies, including: 


Installing and configuring Windows servers 
Installing software on Windows servers 


Configuring and managing mobile devices (such as smartphones and Pocket 
PC/Pocket PC Phone) 


Network concepts (such as IP address, netmask, topology, and LAN settings) 
Various network topologies 

Network devices and their administration 

Network configurations (such as the use of VLAN, HTTP, and HTTPS) 


Mobile Security Documentation 


The Mobile Security documentation consists of the following: 


Administrator’s Guide—this guide provides detailed Mobile Security 
configuration policies and technologies. 


Installation and Deployment Guide—this guide helps you get “up and running” 
by introducing Mobile Security, and assisting with network planning and installation. 


User’s Guide—this guide introduces users to basic Mobile Security concepts and 
provides Mobile Security configuration instructions on their mobile devices. 


Online help—the purpose of online help is to provide “how to’s” for the main 
product tasks, usage advice, and field-specific information such as valid parameter 
ranges and optimal values. 


Readme—the Readme contains late-breaking product information that is not 


found in the online or printed documentation. Topics include a description of new 
features, installation tips, known issues, and release history. 


Preface 


* Knowledge Base— the Knowledge Base is an online database of problem-solving 
and troubleshooting information. It provides the latest information about known 
product issues. To access the Knowledge Base, open: 


http: //esupport.trendmicro.com/ 





Tip: Trend Micro recommends checking the corresponding link from the Update Center 
(http: //www.trendmicro.com/download) for updates to the product 
documentation. 





Document Conventions 


To help you locate and interpret information easily, the documentation uses the 
following conventions. 





CONVENTION DESCRIPTION 





ALL CAPITALS Acronyms, abbreviations, and names of certain commands and 
keys on the keyboard 











Bold Menus and menu commands, command buttons, tabs, options, 
and tasks 

Italics References to other documentation 

Monospace Example, sample command line, program code, Web URL, file 


name, and program output 





Link Cross-references or hyperlinks. 
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vi 


CONVENTION 


DESCRIPTION 











Configuration notes 











Recommendations 





WARNING! 











Reminders on actions or configurations that should be avoided 


Chapter 1 


Planning Server Installation 


This chapter assists administrators in planning the server components for Trend Micro 
Mobile Security for Enterprise 8.0. 

This chapter contains the following sections: 

¢ Network Planning on page 1-2 

* Basic Security Model (Single Server Installation) on page 1-3 

¢ — Enhanced Security Model (Dual Server Installation) on page 1-4 

° System Requirements on page 1-6 
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Network Planning 


Mobile Security for Enterprise 8.0 consists of the following four components: 

e Management Server 

e Communication Server 

¢ SMS Senders (optional) 

e Mobile Device Agent (MDA) 

Depending on your company needs, you can implement Mobile Security with different 
client-server communication methods. You can also choose to set up one or any 
combination of client-server communication methods in your network. 

Trend Micro Mobile Security supports two different models of deployment: 

e Basic Security Model (Single Server Installation) 

e Enhanced Security Model (Dual Server Installation) 


Planning Server Installation 


Basic Security Model (Single Server Installation) 


The Basic Security Model supports the installation of Communication Server and 
Management Server on the same computer. Fzgvre 1-1 shows where each Mobile Security 
component resides in a typical Basic Security Model. 
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FIGURE 1-1. Basic Security Model 
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Enhanced Security Model (Dual Server Installation) 


The Enhanced Security Model supports the installation of Communication Server and 
Management Server on two different server computers. Figure 1-2 shows where each 
Mobile Security component resides in a typical Enhanced Security Model. 








WARNING! Trend Micro strongly recommends deploying the Enhanced Security 
Model on two server computers. This model provides maximum security. 
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FIGURE 1-2. Enhanced Security Model 


Management Server 


The Management Server is a plug-in program that enables you to control Mobile Device 
Agents from the OfficeScan Web console. Once mobile devices are registered, you can 
configure Mobile Device Agent policies and perform updates. 


Planning Server Installation 


Communication Server 


The Communication Server handles communications between the Management Server 
and Mobile Device Agents. The Communication Server allows the Management Server 
to manage Mobile Device Agents outside the corporate intranet. Mobile Device Agents 
can connect to the public IP address of the Communication Server. 


You can use the OfficeScan Web console to configure policies for the Communication 
Server. 


SMS Sender 


SMS senders are designated mobile devices connected to the Communication Server 
over WLAN connections or ActiveSync (version 4.0 or above). An SMS sender receives 
commands from server and relays them to mobile devices via SMS text messages. 

SMS text messages may be used to notify mobile devices to: 

e download and install Mobile Device Agent 

e register Mobile Device Agent to the Mobile Security server 

* update the Mobile Device Agent components from the Mobile Security server 

e wipe, lock or locate the remote mobile device 


e synchronize policies with the Mobile Security server 


Mobile Device Agent 


Install the Mobile Device Agent on supported platforms using one of the installation 
methods—SMS message notification, email notification, memory card and manual 
installation. The Mobile Device Agent provides seamless protection against malware, 
unwanted SMS/WAP-Push messages or network traffic. Users will enjoy the benefits of 
real-time scanning, firewall protection and data encryption when sending/receiving 
messages and opening files on the mobile devices. 
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System Requirements 


Review the following requirements before installing each Mobile Security component in 


your network. For information on Mobile Security components, refer to the Mobile 
Security for Enterprise 8.0 Administrator’s Guide. 


TABLE 1-1. System Requirements 








COMPONENT REQUIREMENTS 
Management e OfficeScan server 10.5/10.0 SP1/10.0 with Plug-in 
Server Manager 1.0 (build 3163) 





or 


e OfficeScan server 10.6/10.5 with Plug-in Manager 2.0 
(build 1188) 





Note: Refer to the OfficeScan Client/Server Edition 
10.0/10.5/10.6 server documentation for minimum 
system requirements. 








Planning Server Installation 


TABLE 1-1. System Requirements 





COMPONENT 


REQUIREMENTS 





Communica- 
tion Server 


Platform 

e Windows 2003 Server Family 

e Windows 2003 R2 Server Family 

e Windows 2008 Server Family 

e Windows 2008 R2 Server Family 
Recommended Platform 

e Windows Server 2008 R2 Enterprise Edition 
e Windows Server 2008 Enterprise Edition SP1 
e Windows Server 2003 R2 Enterprise Edition 
e Windows Server 2003 Enterprise Edition 

e Windows Server 2008 Standard Edition 

e Windows Web Server 2008 Edition SP1 
Hardware 

e 1-GHz Intel™ Pentium™ processor or equivalent 
e Atleast 1-GB of RAM 

e At least 40-MB of available disk space 


e A monitor that supports 800 x 600 resolution at 256 
colors or higher 





SMS Sender 





e Windows Mobile 5 Pocket PC Phone 
e Windows Mobile 5 Smartphone 
e Windows Mobile 6 Standard 


e Windows Mobile 6 Professional 
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TABLE 1-1. System Requirements 





COMPONENT 


REQUIREMENTS 





SQL Server 


e Microsoft SQL Server 2005 

e Microsoft SQL Server 2005 Express Edition 
* Microsoft SQL Server 2008 

e Microsoft SQL Server 2008 Express Edition 
e Microsoft SQL Server 2008 R2 


e Microsoft SQL Server 2008 R2 Express Edition 





Web Server for 
Communication 
Server 


e Microsoft Internet Information Server (IIS) 6.0/7.0/7.5 





Note: When using IIS 7.0 or above for Management Server 
or Communication Server, make sure: 


e that ISAPI Extensions in Application 
Development, and IIS6 management 
compatibility are installed and enabled. 


e that WebDAV in Application Development is NOT 
installed. 








Web browser 





Internet Explorer 7.0 or above 
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Chapter 2 


Preparing Server Computer for 
Installation 


This chapter provides the required information that you will need to prepare your server 
computer for the Trend Micro Mobile Security for Enterprise 8.0 installation. 

This chapter contains the following sections: 

* — General Prerequisites on page 2-2 

¢ 10S Support Prerequisite on page 2-3 

e BlackBerry Support Prerequisite on page 2-7 
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General Prerequisites 


You need to perform the following to prepare you server computer for the installation 
for all the mobile device platforms. 


1. 


SQL Server installation 


Install one of the following SQL Server versions: 

e Microsoft SQL Server 2005 (or Express edition) 
For the detailed SQL server 2005 installation procedure, refer to the following 
URL: 
http://msdn.microsoft.com/en-us/library/ms143516(v=SQL.90}).aspx 

e Microsoft SQL Server 2008/2008 R2 (or Express edition) 


For the detailed SQL server 2008 installation procedure, refer to the following 
URL: 





http://msdn.microsoft.com/en-us/library/ms143219(v=SOL.100).aspx 





Trend Micro recommends using SQL Server Authentication method for SQL 
Server instead of Windows Authentication. However, you can also configure 
Windows Authentication for SQL Server. Refer to Using Windows Authentication for 
SOL Server on page B-2 for details. 


Active Directory Service Account access rights (Optional) 





Note: You only need to perform this step if you plan to use Active Directory for user 
authentication or import users from active directory. Otherwise, skip this step. 





Create Active Directory Service Account for Mobile Security 8.0 and assign it at 
least Read-Only access to Active Directory. 


For the detailed Active Directory installation procedure, refer to the following 
URL: 


http://technet.microsoft.com/en-us/library/cc757211 WS.10).aspx 





3. 


Preparing Server Computer for Installation 


Router/ Firewall Access Rules 


Apply the following set of rules: 


If you plan to use active directory for user authentication or import users from 
active directory, the Management Server and the Communication Server should 
both be able to connect to the Corporate Directory server. 


The Management Server and the Communication Server should both be able 
to connect to the remote SQL server, where the Trend Micro Mobile Security 
database is installed. 


Configure the following two ports to establish a connection between the 
Management Server and the Communication Server: 


e 8189—the default port for SOAP connection. Allow inbound connection 
to Communication Server from Management Server on TCP port 8189. 


e 8190—the default port for socket connection. Allow inbound connection 
to Communication Server from Management Server on TCP port 8190. 


If you need to customize these port numbers, refer to Configuring Communication 
Server Ports on page B-3 for details. 


All the mobile devices should be able to connect to the Communication Server. 


iOS Support Prerequisite 


1. 


Certificate Authority (Optional) 


Install the Certificate Authority for iOS mobile devices. For the detailed Certificate 
Authority installation procedure, refer to the following URL: 


http://msdn.microsoft.com/en-us/library/ff720354.aspx 








Note: Certificate Authority is required if you want to use SCEP for iOS mobile devices. 


If you do not want to use SCEP, you do not need to install the Certificate 
Authority. 
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Simple Certificate Enrollment Protocol (SCEP) (Optional) 





Note: If you do not want to use SCEP for iOS mobile devices, you will need to disable 
it in Communication Server Settings after you have installed the Management 
Server and the Communication Server. Refer to Configuring iOS Communication 
Server Settings on page 4-7 for the procedure. 





If you have set up SCEP on Windows Server 2008, install the Network Device 
Enrollment Service for Windows Server. Refer to the following URL for the 
installation and deployment procedure of Network Device Enrollment Service: 


http://esupport.trendmicro.com/solution/en-us/1060187.aspx 
or 


http://technet.microsoft.com/en-us /library/ff955646(WS.10).aspx. 








Note: If you want to use SCEP, Trend Micro recommends using it on Windows Server 
2008. 





If you have set up SCEP on Windows Server 2003, install the SCEP Add-on for 
Certificate Services. Go to the following URL to download SCEP Add-on for 
Certificate Services: 


http://esupport.trendmicro.com/solution/en-us/1060258.aspx 





or 


http://www.microsoft.com/downloads /details.aspx?FamilyID=9F306763-D036-4 
1D8-8860-1636411B2D01&amp;displaylane=e&displaylang=en 


System clocks verification 








Make sure that the system clocks of SCEP server, Communication Server and the 
Management Server are set to the correct time. 


Modifying Policy Module properties for Certificate Authority 


a. On the computer where Certificate Authority is installed, open the 
Certification Authority management console. 


b. Click Policy Module tab, and then click Properties. 


Preparing Server Computer for Installation 


c. Select Follow the settings in the certificate template, if applicable. 
Otherwise, automatically issue the certificate. 


d. Click OK. 
Apple Push Notification server (APNs) certificate 


If you want to use the Mobile Device Management (MDM) feature on iOS4 or 
above mobile devices, obtain an Apple Push Notification service (APNs) certificate 
from Apple. Refer to Appendix C, Generating and Configuring APNs Certificate starting 
on page C-1 for the detailed procedures. 


Router/ Firewall Access Rules 


Apply the following set of rules: 
e iOS mobile devices should be able to connect to the Communication Server. 
e Ifyou are using SCEP, then: 

* Communication Server should be able to connect to SCEP server. 


* iOS mobile devices should be able to directly connect to the SCEP server 
when registering to the Mobile Security server. 


° Configure the following ports: 


e TCP port 2195—Allow outbound connection from Communication 
Server to Apple Push Notification Service on TCP port 2195. The 
hostname of Apple Push Notification Service is 
gateway .push.apple.com. 


e Port 5223—For iOS devices, to receive a push notification from Apple's 
server, you must open port 5223, especially when connecting through a 
Wi-Fi network where port 5223 is blocked. However, if the mobile devices 
are on a 3G network, you do not need to open this port. 


SSL Server Certificate (for HTTPS communication) 


If you want to use the secure-HTTP (HTTPS) service for the communication 
between mobile devices and Communication Server, obtain an SSL server 
certificate from a recognized Public Certificate Authority or generate a private SSL 
server certificate and install it on the Communication Server. Refer to Appendix D, 
Generating and Configuring SSL Certificate starting on page D-1 for the detailed 
procedures. 
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iOS 5.x, mobile devices only support HTTPS. Therefore, if you want to manage 
iOS 5.x mobile devices, you must use HTTPS to communicate with the 
Communication Server, and configure the SSL certificate on the Communication 


Server. 





Note: Since only the Communication Server communicates with the mobile devices, you 


do not need to configure the SSL certificate on the Management Server. 





Configuration Verification for SCEP server (Optional) 


If you have setup SCEP for iOS mobile devices, perform the following to verify the 


server configuration: 


For SCEP running on Windows Server 2008, access the following URLs from 
the Communication Server: 


* — http://<SCEPServerIP>/certsrv/mscep admin 








Note: Replace <SCEPServerIP> with the actual SCEP server IP address in the 
URLs. 





For SCEP running on Windows Server 2003: access the following URLs from 
the Communication Server: 


* — http://<SCEPServerIP>/certsrv/mscep 








Note: Replace <SCEPServerIP> with the actual SCEP server IP address in the 
URLs. 





If you see the Web page similar to the Figure 2-3. Configuration Verification, your server 


is configured correctly: 


Preparing Server Computer for Installation 





Network Device Enrollment Services - Windows Internet Explorer 





6s- hutp:/flocahost/certseviescep_adming aj éil iessen k 


WE SE É network Device Enrolment Services 





Network Device Enrollment Services allows you to obtain certificates for routers or other network devices using the 
Simple Certificate Enrollment Protocol (SCEP) 


To complete certificate enrollment for your network device you will need the following information: 

The thumbprint (hash value) for the CA certificate is: §CD77825 BFASOE6B OFEB1A44 GAEE40F8 

The enrollment challenge passwordlis: 964180F447D5EC56 

This password can be used only once and will expire within 60 minutes 

Each enrollment requires a new challenge password. You can refresh this web page to obtain a new challenge password 


For more information see Using Network Device Enrollment Services 





FIGURE 2-3. Configuration Verification 





Note: When iOS mobile device enrolls, it will be able to access the following URL: 
http://<SCEPServerlP>/certsrv/mscep 





The iOS mobile device only needs to connect to the SCEP server for enrollment, 
and does not require this connection for any further use. 





BlackBerry Support Prerequisite 


1. 


BlackBerry Enterprise Server 


Install the BlackBerry Enterprise Server (BES). Refer to the following URLs for 
more information about BES 5.x: 


http://us.blackberry.com/apps-software/server/5/. 





and 


http://docs.blackberry.com 
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BES User Administration Tool 


If you want to use the Mobile Security for Blackberry devices, install BES User 
Administration Tool on the Management Server. 

To download the BES User Administration Tool: 

a. Go the following URL: 





http://us.blackberry.com/support/downloads 


b. From the list of Business software, click BlackBerry Enterprise Server 
Resource Kit, and then read the instructions on the Web page to download 
the BlackBerry Enterprise Server User Administration Tool v5.0 Service 
Pack 2 from the BlackBerry Enterprise Server Resource Kit v5.0 Service 
Pack 2. 


BlackBerry mobile device activation 


You must activate the BlackBerry mobile device before you are able to manage 
them using Mobile Security. Refer to the following URL for the details: 


http://docs.blackberry.com 





Router/ Firewall Access Rule 


Configure the following port: 


¢ TCP port 3101—Allow outbound connection from BES to connect 
BlackBerry Infrastructure (BBI) on TCP port 3101. 


Chapter 3 


Installing and Removing Server 
Components 


This chapter guides the administrators in installing Trend Micro Mobile Security for 
Enterprise 8.0 server components. This chapter also guides on how to remove the 
server components. 

This chapter contains the following sections: 

e Installing Server Components on page 3-2 

e — Installing Server Components with a Local Update Source on page 3-8 

e Upgrading to Mobile Security v8.0 on page 3-9 

* Removing Server Components on page 3-11 
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Installing Server Components 


Before you proceed to install Mobile Security server components, make sure the Mobile 
Security components meet the specified system requirements. You may also need to 
evaluate your network topology and determine the Mobile Security server components 
you want to install. 


This section shows you how to install the following Mobile Security server components: 


e Management Server—hosts OfficeScan program and provides administrator 
management console. 

* Communication Server—the server that handles communication between the 
Management Server and Mobile Device Agents (MDA) 


e SMS Sender—mobile device that connects to the Communication Server to send 
SMS messages 





Note: The Management Server and Communication Server do not support the installation on 
Windows Server 2000. 





Installing Management Server 


Before you can install the Management Server, make sure you have already installed the 
following: 

e Microsoft IIS Web server for OfficeScan server 

* OfficeScan server version 10.0/10.5/10.6 and Plug-in Manager 1.0/2.0. 

To install Management Server: 

1. Log on to the OfficeScan Web console. 

2. Click Plug-in Manager in the main menu. 


3. Click Download to get the Mobile Security Plug-in package. The package also 
includes installation files for the SMS Sender, Communication Server, and Mobile 
Device Agent. 

4. Click OK to start the file download process. Wait until the file download is 
completed. 


Click Install Now. 








Click Accept to agree with the end-user license and start the installation process. 


Installing and Removing Server Components 





Note: Mobile Security requires Java Runtime Environment (JRE) to upload .apk file from 
the Application Management module on the Management Server. The JRE is 
automatically installed with the installation of the Management Server. However, if the 
computer where you have installed the Management Server already has the JRE 
installed, then the Management Server setup will not install JRE. If the existing JRE 
version is older than 1.6, then you will need to manually uninstall JRE, and install the 
version 1.6 or above. 





Registering the Product 


Trend Micro provides all registered users with technical support, malware pattern 
downloads, and program updates for a specified period after which you must purchase 
renewal maintenance to continue receiving these services. Register Mobile Security 
server to ensure that you are eligible to receive the latest security updates and other 
product and maintenance services. 


You only need to register Mobile Security server on the Management Server using the 

Activation Code. Mobile Device Agents automatically obtain license information from 
the Mobile Security server after the mobile devices are connected and registered to the 
server. 


Activation Code Format 
An activate code displays in the following format: 
XX-XXXX-“XXXXX-XXXXX-XXXXX-XXXXX-XKXXXX 


To register Mobile Security server: 


1. Log on to the OfficeScan Web console and click Plug-in Manager. 


2. Click the Manage Program button for Mobile Security. If this is the first time you 
access the management console, the Product License screen displays; otherwise, 
click Administration > Product License and click New Activation Code. 
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3. Type the Activation Code in the fields provided and click Save. 


Mobile Security 


@reip 


Trend Micro Mobile Security for Enterprise v8.0 alloves the OfficeScan server to: manage Mobile Device Agents installed on mobile devices, deploy and manage clients, and 
generate reports from the OfficeScan Web console. 


Mobile Device Agent protects data stored on mobile devices and encrypts data before transmission to ensure secure communication. With the avard-winning malware scan feature, 
Mobile Device Agent prevents malwares from infecting mobile devices. 





Activation Code 


Product: Trend Micro Mobile Security 





Activation Code: |] 








(Save) (Ecaneet 
FIGURE 3-4. Registering Mobile Security after installation 


Verify that product registration is successful. Click Dashboard to display the 
Dashboard screen. You should see the message "Trend Micro Mobile Security 8.0 
has been activated." if product registration is successful. 


After the registration is complete, the Getting Started screen as shown in Figure 3-5 
displays and guides you through the steps to complete the initial settings. 


Getting started 


To complete the initial settings of Trend Micro Mobile Security, this widget will guide you through the following steps: 








Confiqure Database Settinas Q 
Configure the database for Trend Micro Mobile Security. 

(2) Configure Authentication Settings Q 
Configure User Authentication settings for users to authenticate and enroll mobile devices to Mobile 
Security. 





Download and Confiqure Communication Server Settings 


Dovmload and install Communication Server installation package. Configure Settings for 9 
Communication Between Communication Server and Devices and Settings for Communication 


Between Communication Server and Management Server for mobile devices and Management Server 
to communicate with the Communication Server. 


V] Skip this step 


[V] Skip this step 
[T] skip this step 


e Configure DNS Server for Simpler Android Authentication and Provisioning (Optional) 
Configure your DNS server if you want Android mobile devices to recognize the Mobile Security server 
using email addresses only. Refer to the Installation and Deployment Guide for the detailed procedure 





[ Start configuring Mobile Security ) 





FIGURE 3-5. Getting Started screen 
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Accessing the Management Server Web Console 


You can access the management console for Management Server through the 
OfficeScan Web console. 


To access the Management Server Web console: 


1. Log on to the OfficeScan Web console and click Plug-in Manager. 
2. Click Manage Program for Mobile Security. 


Accessing Management Server Web Console Using Internet Explorer 9 
with IIS version 6 


If you are using IIS version 6 for Management Server, you need to configure the correct 
Multimedia Internet Mail Extensions (MIME) type for Cascading Style Sheets (CSS) to 
display the Management Server Web console correctly. 


To configure the MIME type for CSS in IIS 6: 


1. Open the Internet Information Services (IIS) Manager screen and then right-click 
OfficeScan > officescan > console and click Properties. The console 
Properties pop-up window displays. 

2. On the HTTP Headers tab, click MIME Types, and then click New. 

In the Extension text filed, type . CSS and in the MIME type text field, type 
text/css, and then click OK. 


4. Click OK on the MIME Types pop-up window and then on the console 
Properties pop-up window. 


Installing Communication Server 





Note: Before you proceed with the Communication Server installation, make sure you have 
installed IIS Web server on your computer. 


With IIS Web server, the Communication Server supports both HTTP and HTTPS 
connection types. 





To install the Communication Server: 


1. Log on to the OfficeScan Web console. 


2. Click Plug-in Manager in the main menu. 
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Click Administration > Communication Server Settings > Common Settings 
and then click the download link to download Communication Server package to 
the computer on which you want to install the Communication Server. 


Double-click the setup file to start the installation process. 
Follow the on-screen instructions. 


Select an IP address and type a service port number for the Communication Server. 
The IP address and port number are used for the Communication Server to 
communicate with the Management Server. Trend Micro recommends selecting 
"ALL" for IP address. 





Note: If the installation fails, make sure that the ISAPI Extension feature is installed for 


Internet Information Service (IIS). Also, make sure to install the Communication 
Server with the administrator privileges. 





Installing SMS Sender 


SMS sender is a Windows Mobile device that your require to install only if you want to 
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send SMS text messages to push notifications to users from the Mobile Security server 





Note: If you do not use SMS Sender, only the remote lock and remote wipe instructions will 


not be pushed to the Windows Mobile devices. However, all other features will work 
as normal. Also, if you do not use SMS Sender, all the features of Mobile Security will 
work as normal for iOS, Android, BlackBerry and Symbian mobile devices. 





Install SMS senders to send messages that notify Mobile Device Agents to: 


download and install Mobile Device Agent 

register to the Mobile Security server 

update components from the Mobile Security server 
synchronize configuration with the Mobile Security server 
remote wipe the mobile device 

remote locate the mobile device 


remote lock the mobile device 


Installing and Removing Server Components 


You can install and connect up to 64 SMS senders to the Communication Server over 
Wi-Fi connections. 





WARNING! Ifyou connect an SMS sender to a host computer using ActiveSync and a 


firewall is installed on the Communication Server, you must configure the 
firewall rule to allow traffic on port 5721. Otherwise, the SMS sender can- 
not receive instructions from the Communication Server to send messages 
to mobile devices. 





To install an SMS sender: 


1. 


On the Management Server, copy the setup file from the folder 
\OfficeScan\Addon\Mobile Security\AgentPackage\ 
SmsSender to a memory card for the supported Windows Mobile device 
platform. 


Insert the memory card to the device. Open the setup file to install the SMS Sender 
program. You can install the SMS Sender on the memory card or on a phone. 


From the Start menu, open SMS Sender Setup in the Programs folder to 
configure Communication Server and phone settings. In the SMS Sender Config 
screen, do the following: 


* Type the DNS name or IP address of the Communication Server 
* Type the HTTP port number of the server 
* Type the phone number to send SMS notifications 


¢ Select the encoding method for SMS notifications 





Note: By default, SMS senders use unicode to encode SMS messages. If errors occur 
when sending or receiving SMS messages in unicode, change the encoding 
method to "7-bit GSM". 
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Installing Server Components with a Local 
Update Source 


If the Management Server is unable to connect to the Internet, you need to install the 
Mobile Security server components on the Management Server (localhost) and specify 
local update sources for Mobile Security. 





Note: Before you continue, obtain the installation package from your Trend Micro sales 


representative. The installation package will contain the setup files for Mobile Security 
agent and server components. 





To install Mobile Security for Enterprise 8.0 with a local update source: 


1. 


On the Management Server, do the following to create a virtual directory 
"TmmsAu": 

Open the Internet Information Services (IIS) Manager screen and right-click 
Default Web Site. Then click New > Virtual Directory. 

Extract the installation package from Trend Micro. 

Copy the folders "TmmsServerAu" and "TmmsClientAu" to the virtual directory. If 
prompted, accept to overwrite any existing folders in the directory. 


The "TImmsServerAu" folder should contain OSCE_AOS_COMP_LIST. zip, 
OSCE _PLS_TMMS . Zip, OSCE _PLS_TMMS Ins tall.zipand 
server.ini. 

The folder '"TmmsClientAu" should contain mobile client applications and 
server.ini. 


To specify a local update source for OfficeScan: 


1. 


Log on to the OfficeScan Web console and click Updates > Update Source. The 
Server Update Source screen displays. 


Select Other update source and type 
"http://localhost/TmmsAu/TmmsServerAu" in the field provided. Click Save. 


Restart the OfficeScan Plug-in Manager service to make the changes take effect. 
Log on to the OfficeScan Web console again and click Plug-in Manager. 


Follow the on-screen instruction to download and install Mobile Security on the 
Management Server. 
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After the installation is completed, click Manage Program to access the 
configuration screens for Mobile Security. 


Type the Activate Code to register the product. Refer to Registering the Product on 
page 3-3 for more information. After product registration is completed successfully, 
the Dashboard screen for Mobile Security displays. 


To specify a local update source for Mobile Security: 


1. 


Log on to the OfficeScan Web console and click Plug-in Manager. Then, click 
Manage Program for Mobile Security. 


Click Updates > Server Update and click the Source tab to configure the update 
source for Mobile Security components. 

Select Other update source and type 
http://localhost/TmmsAu/TmmsClientAu in the field provided. Click Save. 


To verify the policies, perform a manual update (click Updates > Server Update > 
Manual). 


Upgrading to Mobile Security v8.0 


You can upgrade Mobile Security from version 7.0/7.1 to 8.0 on all management server 
components. 


Note: If you upgrade from version 7.0 to 8.0 on a 64-bit operating system, make sure to 


disable the IIS OfficeScan Application Pool's 32-bit mode after completing the 
upgrade. 

To disable the OfficeScan Application Pool 32-bit mode: 

1. Open the HS management console, and click Application Pools in the left pane. 


2. Select OfficeScanAppPool from the list in the center pane, and then click 
Advanced Settings... in the right pane. The Advanced Settings dialog box 
appears. 

3. On the Advanced Settings dialog box, set Enable 32-Bit Applications to False. 


4. Restart IIS. 
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If you only installed Mobile Security Management Module (MSMM) for Mobile Security 
7.0, then do the following: 
1. Upgrade MSMM to the Management Server for 8.0: 
a. Log on to the OfficeScan Web console and click Plug-in Manager. Then, 
click Download for Trend Micro Mobile Security. Mobile Security downloads 
the setup programs from the Trend Micro server. 


b. Click Upgrade.The setup program automatically uninstalls the previous 
version of MSMM and installs Mobile Security 8.0 Management Server. 


2. Install the Communication Server. Refer to Installing Communication Server on page 
3-5 for the detailed procedure. 





Note: You must install the Management Server before the Communication Server. 





3. Configure Communication Server settings. Refer to Configuring Communication Server 
Settings on page 4-4 for the detailed procedure. 

4. Configure SMS senders. Refer to Installing SMS Sender on page 3-6 for the detailed 
procedure. 


If you installed both Mobile Security Management Module (MSMM), and Mobile 
Security Communication Module (MSCM) for Mobile Security 7.0, then do the 
following: 

1. Upgrade MSMM to the Management Server for 8.0: 


a. Log on to the OfficeScan Web console and click Plug-in Manager. Then, 
click Download for Trend Micro Mobile Security. Mobile Security downloads 
the setup programs from the Trend Micro server. 


b. Click Upgrade.The setup program automatically uninstalls the previous 
version of MSMM and installs Mobile Security 8.0 Management Server. 


2. Uninstall MSCM: 


a. Go to Start > Control Panel > Programs and Features 


b. Select Mobile Security Communication Manager program from the list, and 
then click Uninstall. 


3. Install the Communication Server. Refer to Installing Communication Server on page 
3-5 for the detailed procedure. 


Installing and Removing Server Components 





Note: You must install the Management Server before the Communication Server. 





4. Configure Communication Server settings. Refer to Configuring Communication Server 
Settings on page 4-4 for the detailed procedure. 


5. Configure SMS senders. Refer to Installing SMS Sender on page 3-6 for the detailed 
procedure. 


Removing Server Components 


This section guides you through the steps you need to perform to remove the 
Management Server and the Communication Server. 


Removing Management Server 


Trend Micro Mobile Security Management Server can be removed either automatically 
or manually: 


Removing Management Server Automatically 
To remove Management Server automatically: 

1. Log on to the OfficeScan Web console. 

2. Click Plug-in Manager in the main menu. 


3. Click Uninstall to remove Management Server. The progress bar displays on the 
screen showing the uninstallation progress. 
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Removing Management Server Manually 
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Although an automatic uninstall is recommended, but if you encounter any problem 
during automatic uninstall, you can remove the Management Server manually. 


To remove Management Server manually: 





WARNING! This procedure requires you to modify registry keys. Making incorrect 
changes to the registry can cause serious system problems. Always make 
a backup copy before making any registry changes. For more informa- 
tion, refer to the Registry Editor Help. 





1. Delete the related folder in Registry. 
a. Open the Registry Editor, and go to the following key: 
HKEY LOCAL MACHINE\SOFTWARE\TrendMicro\O0ffices 
can\service\Aos 
b. Delete folder OSCE ADDON TMMS 


2. Stop the following Windows Services: 
* OfficeScan Plug-in Manager 
* Mobile Security Management Module Service 
e Mobile Security Monitor Service 
* Mobile Security Management Module BlackBerry Service 
3. On your harddisk, go to ..\Trend Micro\OfficeScan\Addon, and 
delete the folder Mobile Security. 


4. Using the Windows Command Prompt, delete the Mobile Security related services 
using the following commands: 
e sc delete TMMSMasterService 
e sc delete TMMSMonitorService 
e sc delete BBMDMService 


5. On your harddisk: 
e goto..\Trend Micro\OfficeScan\PCCSRV, and delete the file 
OSCE_AOS_COMP_LIST. xml. 
e ooto..\Trend Micro\OfficeScan\PCCSRV\TEMP, and 
delete the folder AoS 
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e goto..\Trend Micro\OfficeScan\PCCSRV\Download, 
and delete the following files: 


° OSCE _PLS_TMMS.zip 
e OSCE _PLS_TMMS Install.zip 
e server.ini 
6. Modify the Registry key: 
a. Open the Registry Editor, and go to the following key: 
HKEY LOCAL MACHINE\SOFTWARE\TrendMicro\Offices 
can\service\Aos 


b. Modify the OSCE Addon Service CompList Version to 
1.0.1000 


7. Start the OfficeScan Plug-in Manager service in the Windows Services. 


Removing Communication Server 
Trend Micro Mobile Security Communication Server can be directly removed from the 
Windows Control Panel. 
To uninstall the Communication Server: 


1. From the Windows Control Panel, double-click Programs and Features. The 
Uninstall or change a program window displays. 


2. Select Trend Micro Mobile Security Communication Server and then click 
Uninstall. A dialog box displays. 


3. On the dialog box, select Automatically close applications and attempt to 
restart them after setup is complete and click OK. 


4. Follow the on-screen instructions to complete the uninstallation process. 
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Chapter 4 


Configuring Server Component 


This chapter assists administrators in configuring the server components for Trend 
Micro Mobile Security for Enterprise 8.0. 

This chapter contains the following sections: 

© Initial Server Setup on page 4-2 

* Configuring Database Settings on page 4-2 

* — Configuring Device Authentication Settings on page 4-3 

* Configuring Active Directory (AD) Settings on page 4-4 

* Configuring Communication Server Settings on page 4-4 

-+ Managing Apple Push Notification Service Certificate on page 4-10 
¢ — Using Configuration and Verification on page 4-11 

* Configuring Notifications/ Reports Settings on page 4-11 

* — Configuring Administrator Notifications on page 4-12 
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Initial Server Setup 


This section walks you through the initial setup of Mobile Security server after the 
installation. 

Initial server setup steps include: 

1. Configuring Database Settings on page 4-2 

2. Configuring Database Settings on page 4-2 

3. Configuring Active Directory (AD) Settings on page 4-4 

4. Configuring Common Communication Server Settings on page 4-4 

5 


Installing Certificate Authority (CA) and Simple Certificate Enrollment Protocol 
(SCEP) server. Refer to OS Support Prerequisite on page 2-3. 


6. Managing Apple Push Notification Service Certificate on page 4-10 
7. Configuring iOS Communication Server Settings on page 4-7 

8. Configuring BlackBerry Communication Server Settings on page 4-9 
9. Managing Apple Push Notification Service Certificate on page 4-10 
10. Configuring Active Directory (AD) Settings on page 4-4 

11. Configuring Notifications/ Reports Settings on page 4-11 

12. Configuring Administrator Notifications on page 4-12 


Note: You must complete the initial server setup for the Mobile Security server before you 
continue to install Mobile Device Agent on mobile devices. 





Configuring Database Settings 


To configure Database Settings: 

1. Log on to the OfficeScan Web console. 

2. Click Plug-in Manager in the main menu. 
3. Click Administration > Database Settings. 
4 


Type the server name or IP address, your user name, password and the database 
name. 


Configuring Server Component 





Note: If you are using a specific port for SQL server, use the format: 


e For SQL Server: <SQL server name or IP address>,<Port>; 


e For SQL Server Express: <SQL server name or IP 
address>,<Port>\<Instance name of SQL Server 
Express> 





Click Save. 


Configuring Device Authentication Settings 


To configure Device Authentication Settings: 


1. 


2 
3. 
4 


5. 


Log on to the OfficeScan Web console and click Plug-in Manager. 
Click Manage Program. 

Click Administration > Device Enrollment Settings. 

On the Device Authentication tab, select one of the following: 


e Do not authenticate—to disable authentication for mobile devices. 





Note: If you select this setting, then the users do not necessarily need to type 
their user name and password for registering the mobile devices with the 
Communication Server. 





e Authenticate using:—if you select this setting, you can select either or both of 
the following device authentication methods: 


e Active Directory—to use the user information from Active Directory to 
authenticate mobile devices. 


e Preset user name and password—to use the user information from the 
local database to authenticate mobile devices. 





Note: If you select Preset user name and password for device authentication, 
you must also type the preset account user name and password in the fields 
provided. 





Click Save. 
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Configuring Active Directory (AD) Settings 


Trend Micro Mobile Security 8.0 provides you the option to configure user 
authentication based on the Active Directory (AD). Once configured, you can also use 
your corporate active directory to add mobile devices to the device list. 


If you do not want to use active directory for user authentication or if you do not want 


to add users from the active directory, then you do not need to configure this setting. 


To configure Active Directory Settings: 


1. 


2 
3. 
4 


Log on to the OfficeScan Web console. 
Click Plug-in Manager in the main menu. 
Click Administration > Active Directory Settings. 


Type the host name or its IP address, its port number, your domain user name and 
your password. 


Click Save. 


Configuring Communication Server Settings 


Mobile Security 8.0 provides the following two types of settings for Communication 
Server: 


Settings for Communication Between Communication Servet and Mobile 
Devices—used for communication between Communication Server and mobile 
devices. Mobile devices only need to connect to the Communication Server. If the 
Management Server and the Communication Server are installed on the same 
computer, the mobile devices should be able to communicate to that computer. 


Settings for Communication Between Communication Server and 
Management Server—used for communication between Communication Server 
and Management Server, and uses port 8189 for Simple Object Access Protocol 
(SOAP) communications. 


Configuring Common Communication Server Settings 


To configure Common Communication Server Settings: 


1. 
2. 
3. 


Log on to the OfficeScan Web console. 
Click Plug-in Manager in the main menu. 


Click Administration > Communication Server Settings. 


Configuring Server Component 


On the Common Settings tab, fill all the fields with the relevant information. 


Consider the following while configuring Common the relevant information. 


Consider the following while configuring Common Communication Server 


Settings: 


* Settings for Communication Between Communication Server and 
Mobile Devices: 


If you do not select HTTPS port in Settings for Communication 
Between Communication Server and Mobile Devices, the mobile 
devices will use HTTP port to communicate with the Communication 
Server. 


iOS 5.x mobile devices support HTTPS only. Therefore, if you want to 
manage iOS 5.x mobile devices, select HTTPS port to communicate with 
the Communication Server, and upload the SSL certificate to Mobile 
Secutity. 


To upload the SSL certificate to Mobile Security: 
i. Click Administration > Certificate Management. 
ii. Click Add, select the certificate, and then click Save. 


For basic security model (single server installation), the default ports of 
Communication Server and Management Server are as follows: 


e HTTP port: 8080 
e HTTPS port: 4343 


For enhanced security model (dual server installation), the default ports of 
Communication Server are as follows: 


e HTTP port: 80 
e HTTPS port: 443 


* Settings for Communication Between Communication Server and 


Management Server: 


Use the default port number 8189 for SOAP connection. If you need to customize 
this port number, refer to Configuring Communication Server Ports on page B-3 for 
details. 
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6. 





Note: Mobile Security will collect the information about the applications installed on 
mobile devices according to the frequency you have selected: 


e For iOS mobile devices, Mobile Security will collect this information at the time 
when iOS mobile device was enrolled. 
e For Android mobile devices, Mobile Security will collect this information for 


the first time when Android mobile device was enrolled, and subsequently at 
any time between 9:00 AM and 6:00 PM. 


Changing the frequency will reset the timer, but Mobile Security will collect this 
information at the same time of the day. 





Click Save. 


Configuring Android Communication Server Settings 
To configure Android Communication Server Settings: 


1. 


2. 
3. 
4 


5. 


Log on to the OfficeScan Web console. 

Click Plug-in Manager in the main menu. 

Click Administration > Communication Server Settings. 
On the Android Settings tab, configure the following: 

e Push Notification Settings 


e Select Enable push notification to enable this setting for Android 
devices. Clear to disable. 


* Agent Customization 


e Select Enable agent customization to add the server IP address and port 
number in the Android client application that users will download from 
the Mobile Security server. This means, the server IP address and port 
number will be automatically filled in the client application and users will 
not need to type this information manually. 


Clear Enable agent customization to disable the feature for Android 
mobile devices. 


Click Save. 


Configuring Server Component 


Configuring DNS Server for Simpler Android Provisioning 


You can configure your DNS Server for simpler provisioning of Android mobile devices 
by specifying the server information (IP address, domain name and server port number) 
for the users in advance. By doing this, the server IP address and port number will be 
automatically filled in the client applications using the users’ email addresses only and 
they will not need to type this information manually. 


To configure DNS Server for simpler provisioning of Android mobile devices: 


1. Open the DNS server console from the Windows Control Panel. 


2. Right-click on the domain associated with Mobile Security where you want to add 
the registration information for the users, and then click Other New Records. 


3. Inthe Select a resource record type list, select Text (TXT), and then click 
Create Record. The New Resource Record window appears. 


4. On the New Resource Record window, fill the following fields: 


e Record name: type the record name. You can leave this field blank if you want 
to use the parent domain name. 


e Text: type the Communication Server address as follows: 


TM MDM SERVER={http://<Communication Server 
IP>:<Communication Server Port>}. 





Note: Replace <Communication Server> and <Communication Server Port> 
with the original Communication Server IP address and port number. 





5. Click OK, on the New Resource Record window, and then click Done on the 
Resource Record Type window. 


Configuring iOS Communication Server Settings 
To configure iOS Communication Server Settings: 

1. Log on to the OfficeScan Web console. 

2. Click Plug-in Manager in the main menu. 


3. Click Administration > Communication Server Settings. 
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4. On the iOS Settings tab, configure the following: 
¢ Simple Certificate Enrollment Protocol (SCEP) Settings 
i. Select Enable SCEP. Clear to disable. 
ii. If enabled, fill the fields with the following information: 
° SCEP user URL: 


http://SCEP_IP/certsrv/mscep 
e SCEP admin URL: 
For Windows Server 2008: 





http://SCEP IP/certsrv/mscep admin 
For Windows Server 2003: 





http://SCEP IP/certsrv/mscep 





e User account: <SCEP Server login user name> 
e User password: <SCEP Server login user password> 
* Certificate name: <a name for certificate> 
e Subject: 0=TrendMicro,CN=Enroll 
e Apple Push Notification service (APNs) Settings 
e Certificate type: Select your certificate type. 


e Certificate: Select APNs certificate from the drop-down list, or upload a 
new one. 


° Client Profile Signing Credential 


e Client Profile Signing Credential: Select a certificate for signing 
credential from the drop-down list, or upload a new one. 


5. Click Save. 


Configuring Server Component 


Configuring BlackBerry Communication Server Settings 





Note: Before configuring BlackBerry Communication Server settings, you must install 


brk-besuseradminclient command tool on the Mobile Security Management Server. 


To find BlackBerry Command Tool path: 


1. Logon to the BlackBerry Administration Service. 


2. From Servers and components menu, click BlackBerry Solution topology > 
BlackBerry Domain > Component View. 


3. On the right pane, you can see the BlackBerry Enterprise Server instance name. 





To configure BlackBerry Communication Server Settings: 


1. 


2 
3. 
4 


Log on to the OfficeScan Web console. 

Click Plug-in Manager in the main menu. 

Click Administration > Communication Server Settings. 

On the BlackBerry Settings tab, fill all the fields with the following information. 
* BlackBerry Administration Service Credentials 


°. Server name:<BES server name (your computer name) or IP address 
where you have installed the BES Administration Service> 


e User account: <administrator name for the BES Administration Service> 
e Password: <password for the user account> 


e Domain name: <BES server domain name> 





Note: If your OfficeScan server cannot connect with BES server using BES 
server name, type the BES server IP address in the Server name field. 





e BlackBerry Database Settings 
* Database address: <BES configuration database name or IP address> 


e User name: <database user name> 





Note: You need to create a database user with the Connection and Read 
permissions for the database. 
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5. 


e Password: <Database user login password> 


* Database name: <BES configuration database name> 





Note: For BlackBerry Database settings, Trend Micro Mobile Security only 
supports SQL Server authentication mode for SQL server. 





* BlackBerry Command Tool Settings 
* Tool path: <BlackBerry Administration Tool installation path. For 
example: C:\Program Files\Research In 
Motion\BlackBerry Enterprise Server 
Resource Kit\BlackBerry Enterprise Server 
User Administration Tool Client> 
Click Save. 


Managing Apple Push Notification Service Certificate 


Refer to Generating and Configuring APNs Certificate starting on page C-1 for the detailed 
procedure of generating the APNs certificate and then uploading it to the Mobile 
Security server. 
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Note: If you have already uploaded an APNs certificate from Apple Push Notification 


service (APNs) Settings on iOS device, then you do not need to upload it again in 
Certificate Management. 





To manage Apple Push Notification certificate: 


1. 


2 
3. 
4 


Log on to the OfficeScan Web console. 
Click Plug-in Manager in the main menu. 
Click Administration > Certificate Management. 


Click Add, select the Apple Push Notification Server certificate from the hard disk, 
and then click Save. 


Configuring Server Component 


Using Configuration and Verification 


This screen enables you to quickly configure Mobile Security settings. It also enables you 
to verify if all the settings that you have configured are correct. 


To manage Apple Push Notification certificate: 


1. 


De 
3. 
4 


Log on to the OfficeScan Web console. 


Click Plug-in Manager in the main menu. 


Click Administration > Configuration and Verification. 


You can now configure and verify Mobile Security settings: 


To configure Mobile Security settings, read instructions on the screen and click 
on the text to open the settings screen. 


To verify Mobile Security settings, click Verify Mobile Security 
Configuration. 


Configuring Notifications/Reports Settings 


You may configure the notification source to send out the notification email message to 
the administrators. 


To configure Notifications/Reports Settings: 


1. 


2 
3. 
4 


Log on to the OfficeScan Web console and click Plug-in Manager. 


Click Manage Program. 


Click Notifications /Reports > Settings. 


You can now configure SMTP server settings and the SMS sender list for outgoing 
notifications: 


To configure SMTP server settings for email notification messages: type the 
From email address, the SMTP server IP address and its port number. If the 
SMTP server requires authentication, select Authentication, and then type the 
user name and password. 


To configure text message notifications: in the SMS Sender Settings section, 
click Add, type the phone number of an SMS sender on the pop-up that 
appears, and then click Save. The SMS sender list displays the phone number 
that you added. Check that the Status field displays Connected for the 
number you have configured. If the Status field displays Disconnected, make 
sure the SMS sender can connect to the Communication Server. 


4-11 


Trend Micro Mobile Security for Enterprise v8.0 Installation and Deployment Guide 





WARNING! Ensure the phone number used here is the same as the one con- 
figured on the SMS sender device. If not, the SMS sender will 
not be able to connect to the Communication Server. 





Configuring Administrator Notifications 


You can configure Administrator Notifications and Reports setting to receive the error 


message notifications and regular scheduled reports via email. 


To configure notifications and reports send to administrator: 


1. 


2 
3. 
4 


Log on to the OfficeScan Web console and click Plug-in Manager. 
Click Manage Program. 
Click Notifications/Reports > Administrator Notifications/Reports. 


Select the notifications and reports you want to receive via email, and then click on 
individual notifications and reports to modify their contents. Click Save when done, 
to return back to the Administrator Notifications and Reports screen. 





Note: When you select reports that you want to receive, you can also adjust their 
frequencies individually from the drop-down list after each report. 





Click Save. 


Chapter 5 


Mobile Device Agent Component 
Installation 


This chapter discusses the different mobile device agent deployment methods. Mobile 
device requirements and models that Mobile Device Agent supports are also included. 
This chapter contains the following sections: 

e Planning Mobile Device Agent Installation on page 5-2 

e — Installing Mobile Device Agent on page 5-4 

e 10S Provisioning on page 5-11 

+ — Using the Encryption and Password Module on page 5-13 


Trend Micro Mobile Security for Enterprise v8.0 Installation and Deployment Guide 


Planning Mobile Device Agent Installation 





Note: Make sure the mobile devices can connect to the Communication Server through 
Wi-Fi, 3G/GPRS, or using the Internet connection on a host computer. 





Supported Mobile Devices and Platforms 


Before installing and using the Mobile Security mobile device agent program (known as 
the Mobile Device Agent) on mobile devices, ensure that your mobile devices meet the 
requirements. 


Device Storage and Memory 


TABLE 5-1. System Requirements 


STORAGE 
OPERATING SYSTEM (MB) 





Windows Mobile 5 Pocket PC/Pocket PC Phone 





Windows Mobile 6 Classic/ Professional 





Windows Mobile 5 Smartphone 





Windows Mobile 6 Standard 
Symbian OS 9.x S60 3rd/5th Edition 








Android 2.1 or above 














Note: For iOS mobile devices, Mobile Security supports iOS 4.x and above. 
For Blackberry mobile devices, Mobile Security supports BES 5.x. 








Note: iOS and BlackBerry mobile devices does not require any Mobile Security client 
software (Mobile Device Agent) installation. 
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Mobile Device Agent Installation Methods 


You can install Mobile Device Agent on mobile devices using one of the following 
methods: 


Installation through SMS messages or email—sends SMS messages or email with 
Mobile Device Agent installation URL to mobile devices or users’ email addresses. 
Users need to access the URL in the SMS message or email, and then register the 
mobile device with the Communication Server. You need to install the SMS senders 
if you want to send SMS notification messages. 











Installation through Web browser—in the Web browser, open the following URL to 
automatically download and install the Mobile Device Agent on mobile devices: 


http://<External domain name or IP address: HTTP _port>/officescan/PLS_T 
MMS_CGI/cgiOsmaProvision.dll 


or 








https://<External domain name or IP address: HTTPS _port>/officescan/PLS 
TMMS_CGI/cgiOsmaProvision.dll 











Note: Replace <External_domain_name_or_IP_addtess>, <HTTP_port> and 
<HPTTS_port> as you configured in Administration > Communication 
Server Settings > Common Settings > Settings for Communication 
Between Communication Server and Mobile Devices. 








Memory card—for Symbian or Windows platforms, download the setup file from 
the Management Server and copy the extracted files to a memory card. Once you 
insert the memory card into a mobile device, Mobile Device Agent installation is 
automatic. 





Note: Memory card installation method is not available if you want to re-install or 
upgrade Mobile Device Agent for Mobile Security for Enterprise 8.0 on Symbian 
devices. In this case, you should use the manual installation method. 
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e Manual install—requires you to transfer setup files to each mobile device and run 
the setup program. After the installation is completed, you then need to register 
Mobile Device Agents to the Communication Server. For detailed instructions on 
manual installation and registration, refer to Launching the Setup File Manually on page 
5-8 or the User’s Guide for your mobile device platform. 


Installing Mobile Device Agent 


To use the encryption and password module on a Windows Mobile mobile device, you 
must first: 


e disable the password security or memory card encryption feature that comes with 
Windows Mobile on your mobile device 


* remove any third-party password security program. You may be prompted to 
remove the program during the installation process. 





Note: The encryption and password module on Windows Mobile devices will not work if 
the built-in password security or the memory card encryption feature is enabled. 





Silent Installation Using Email or SMS Notifications 


Installing the Mobile Device Agent through SMS notifications involves the following 
steps: 

* Configuring Notifications/ Reports Settings on page 4-11 

* Configuring Installation Message on page 5-4 

* Configuring the Mobile Device List on page 5-5 


Configuring Installation Message 


To initiate silent Mobile Device Agent installation, Mobile Security sends an email 
and/or a text message to notify mobile devices to download and install Mobile Device 
Agent. 


Mobile Device Agent Component Installation 


Users can open the email or text message and download the Mobile Device Agent setup 
package by accessing the URL included in the email or the text message. The Mobile 
Device Agent setup package will automatically fill the server IP and port number, while 
users will need to type the device name, domain name and password to register. 

You can use the Installation Message screen to type the message you want to display. 


To configure installation message: 


1. Log on to the OfficeScan Web console and click Plug-in Manager. 
Click Manage Program for Mobile Security. 

Click Notifications /Reports > User Notifications. 

Select Mobile Device Enrollment, and then click on the text. 


Se ks 


Type the subject, email and/or the text message in the related text box(es), and then 
click Save. 





Note: The installation message must include the characters "“”DOWNLOADURL%" 
which will automatically be replaced with the URL that allow users to download 
the Mobile Device Agent setup file. 








Note: The email notification only sends the download link for downloading client setup 
files, and will not automatically fill the server IP address and port number in the 
register screen. 





6. Click Save on the User Notifications screen. 


Configuring the Mobile Device List 


Configure the mobile device list on the Mobile Security server if you want to send SMS 
messages to specified mobile devices. You must first configure the mobile device agent 
list before SMS Senders can notify mobile devices to install and register Mobile Device 
Agents. 


If you install Mobile Device Agent manually, the Mobile Security server will 
automatically add Mobile Device Agent information to the list after the device is 
registered to the Mobile Security Server. 
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To add a mobile device: 


1. Log on to the OfficeScan Web console and click Plug-in Manager. 


ee A 


Click the Manage Program button for Mobile Security. 
Click Devices. The Device Management screen displays. 


You can now add one mobile device, a batch of mobile devices, a user or an email 


group (distribution list) from the active directory: 


e To add a mobile device: 
i. Click Add Device > Add Device. The Add Device window pops up. 


ii. On the Add Device window, configure the following fields: 


Phone number—type the phone number of a mobile device. To 
ensure that the mobile device can receive notification messages 
successfully from an SMS sender, you may type the country code (1-5 
digits long). You do not have to type the international direct dialing 
prefix. 


Email—type the user email address to send notification mail. 


Device name—type the name of the mobile device to identify the 
device in the device tree. 


Group—select the name of the group to which the mobile device 
belongs from the drop-down list. You can always change the group to 
which the mobile device agent belongs. 





Tip: 


To add more devices, click the button. 





e To add a batch of mobile devices: 
i. Click Add Device > Add Batch. 


ii. Type the device information in the text box on the window that displays. 


iii. Click Validate to verify that the device information conforms to the 


specified format. 


e To add a user or an email group (distribution list) from the active directory: 
i. Click Add Device > Add from AD. 


ii. Type the user information in the field provided, and click Search. 


iii. Select the user from the search result, and then click Add to Device List. 


Mobile Device Agent Component Installation 


Click Save. 


Check that the new device information is displayed in the device tree. After you 
have added information for the mobile devices on the Mobile Security server refer 
to the next section to install Mobile Device Agent on these mobile devices. 


Checking Mobile Device Agent Status 


After you have saved the mobile device information on the Mobile Security server, SMS 
senders automatically send SMS messages to notify the mobile devices to start Mobile 
Device Agent download and installation. After the installation is completed successfully, 
Mobile Device Agent registers to the Mobile Security server. The file download, product 
installation, and registration may take several minutes. 


You can check the mobile device agent registration status in the Dashboard screen for 
Mobile Security in the Management Server. 


Installing Using Memory Card (Symbian and Windows) 


You can use a memory card to automatically install Mobile Device Agent on mobile 
devices. You need to download the setup file from the Mobile Security server and 
extract the files to a memory card. 





WARNING! Memory card installation method is not available if you want to 
re-install or upgrade Mobile Device Agent on a Symbian device. In this 
case, you should use the manual installation method. 





To obtain setup files from the Mobile Security server: 


Log on to the OfficeScan Web console and click Plug-in Manager. 

In the Plug-in Manager screen, click Manage Program for Mobile Security. 
Click Administration > Device Enrollment Settings. 

Click Download to download the ZIP file to your computer. 

Extract the ZIP file. 


ON Oh ie Gs a 


Copy the extracted files to the root folder in a memory card. 
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Note: If the extracted files are not located in the root folder in the memory card, automatic 
installation will not work when you insert the card in to a mobile device. 





To install Mobile Device Agent on a mobile device: 


1. Insert the memory card into a mobile device. Setup automatically installs Mobile 
Device Agent. 
2. After the installation is complete, restart your mobile device when prompted. 


Register to the Mobile Security server. Select an AP that your mobile device use to 
connect to the Communication Server. Mobile Security is added to the Start menu. 


The registration process may take several minutes. To verify that mobile device agent 
registration is successful, check the Mobile Device Agent status in the device tree on the 
Mobile Security server. 


Launching the Setup File Manually 


5-8 


You can execute the setup file on a mobile device to manually install Mobile Device 
Agent. To transfer the setup file to the mobile device, you need to use ActiveSync or PC 
Suite to connect the mobile device to a host computer. After the installation is 
completed successfully, you must manually register Mobile Device Agent to the Mobile 
Security server. 


Note: On Symbian mobile devices, you can use PC Sync to install Mobile Device Agent 
directly from the host computer. 





To obtain setup files from the Mobile Security server: 


1. Log on to the OfficeScan Web console and click Plug-in Manager. 
In the Plug-in Manager screen, click Manage Program for Mobile Security. 


Click Administration > Device Enrollment Settings. 


op 


Select the setup file and click Download to download the ZIP file to your 
computer. 


5. Extract the ZIP file and copy the extracted files to a host computer. 


Mobile Device Agent Component Installation 


The administrator will have to determine the best way to send this file to the user. 
This could, for example, be done through an email or on a helpdesk site in an 
Intranet. 


The user can also be provided the installation file: 


Transfer the appropriate setup file to the mobile device or execute the setup file on 

a host computer using computer software. 

e Windows Mobile 5 for Smartphone or Windows Mobile 6 Standard: 
MobileSecurity_SP.cab 


e Windows Mobile 5 for Pocket PC/Pocket PC Phone or Windows Mobile 6 
Professional/Classic: MobileSecurity PPC.cab 


e Symbian OS 9.x S60 3rd/5th Edition on Nokia mobile device: 
MobileSecurity_S60.sis 


e Android 2.1 or above: 

TmmsSuite.apk 
Alternatively, users can be instructed to download and install the mobile device 
agent by visiting the following URL: 


http://<External domain name or IP address: HTTP port>/officescan/PLS T 
MMS CGI/cgiOsmaProvision.dll 


or 





https://<External domain name or IP address: HTTPS port>/officescan/PLS 
TMMS _CGI/cgiOsmaProvision.dll 








Note: Replace <External_domain_name_or_IP_addtess>, <HTTP_port> and 
<HPTTS_port> as you configured in Administration > Communication 
Server Settings > Common Settings > Settings for Communication 
Between Communication Server and Mobile Devices. 
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Note: You can also obtain the Mobile Device Agent setup files directly from the server at 


the following location: 


http(s)://<Office scan Server: 
Port>/officescan/PLS TMMS ActiveUpdate/<Setup Package 
Name> 


<Setup Package Name> the setup package names on the 
server are as follows: 

PPC: MobileSecurity_PPC.cab 

SP: MobileSecurity_SP.cab 

Android: TmmsSuite.apk 

Symbian S60 3rd/5th on Nokia mobile device: 
MobileSecurity_S60.sis 





To manually install Mobile Device Agent on Windows Mobile or Symbian mobile 


devices: 
1. On your device, navigate to the location of the setup file. 
2. Open the setup file to start installing the Mobile Device Agent. 
3. After the installation completes, copy the file TmSettings. ini to the 
appropriate directory on the handset: 
e For Windows Mobile: \Program Files\Trend Micro\Mobile 
Security\ 
e For Symbian: C:\system\data\mobilesecurity\ (Symbian OS requires 
a 3rd-party file explorer to access this directory.) 
4. Restart the mobile device. After the restart is complete, the Device name, Host 


name or IP address, and Port number fields in the Register screen displays the 
valid information. 


Mobile Device Agent Component Installation 


Manual Registration 

You will need to manually register Mobile Device Agent to the Communication Server if 
you install Mobile Device Agent manually or if the automatic registration process fails. 
To manually register Mobile Device Agent to the Mobile Security server: 

1. Open Mobile Device Agent program on the mobile device. 

2. The Register screen displays. Do either of the following: 


* On Symbian and Windows Mobile devices: Type a descriptive name for the 
device, the DNS name or IP address, HTTP or HTTPS port number of the 
Communication Server, your domain user name and its password. Click 
Register. 





Note: Symbian mobile devices can only use HTTP to communicate with the 
Communication Server. Windows Mobile devices can only use HTTP to 
register, but can use HTTP or HTTPS for further communications 
depending on the settings you configured in Settings for Communication 
Between Communication Server and Mobile Devices while configuring 
the common Communication Server settings. See Configuring Common 
Communication Server Settings on page 4-4. 





e On Android mobile devices: type your email address and tap Next. Type your 
domain user name and password, and then tap Register. 


3. After the registration is completed, view the license information in the About 
screen (Menu > About) on the mobile device. You can also see the device status on 
the Mobile Security server. 





Note: The registration process may take several minutes depending on your network speed. 





iOS Provisioning 


To be able to manage iOS mobile devices from the Mobile Security server, you must 
install a provisioning profile on the mobile devices. This provisioning profile must 
identify you (through your development certificate) and your device (by listing its unique 
device identifier). 
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WARNING! The JavaScript must be enabled for Safari on iOS mobile devices for 


enrollment. Otherwise, the enrollment will be unsuccessful. 





To install provisioning profile on iOS mobile device: 


1. 


On the iOS mobile device, open the Safari Web browser, and go to the following 
URL: 


http://<External domain name or IP address:HTTP port>/officescan/PLS T 
MMS _CGI/cgiOsmaProvision.dll 


or 








https://<External domain_name or IP _address:HTTPS_ port>/officescan/PLS 
TMMS CGI/cgiOsmaProvision.dll 











Note: Replace <External_domain_name_or_IP_address>, <HTTP_port> and 
<HPTTS_port> as you configured in Administration > Communication 





Server Settings > Common Settings > Settings for Communication 
Between Communication Server and Mobile Devices. 








Note: If the authentication is required by the administrator, the Authentication 
Required pop-up dialog box appears. Type your domain account (or user name) 
and password, and then tap Log In. 





The Install Profile screen displays. 


On the Install Profile screen, tap Install, and then tap Install Now on the 
confirmation pop-up dialog box. 


If the mobile device requires a passcode, then type your passcode on the Enter 
Passcode screen that appears, and then tap Done. The Installing Profile screen 
appears. 

Tap Install on the Warning confirmation screen. The profile installation process 
begins.After the process is completed, the Profile Installed screen displays. 


Tap Done. 


Mobile Device Agent Component Installation 


To uninstall provisioning profile from iOS mobile device: 


1. 
2. 


On the iOS mobile device, go to Settings > General > Profiles. 


Select MDM Enrollment Profile, and then tap Remove. If you have configured 
the device lock password, type the password to uninstall the provisioning profile. 





Note: For iOS 5.x mobile device, removing the profile will also remove the mobile device 


from the Device list on the Mobile Security server. 





Using the Encryption and Password Module 


The encryption and password module provides the power-on password and encryption 
features on your mobile device. 


Encryption module can be used on a mobile device if all of the following requirements 
are met: 


Mobile Device Agent is installed successfully 
Mobile Device Agent has successfully registered to the Mobile Security server 


the encryption module supports the mobile device platform 





Note: The encryption in Mobile Security for Enterprise 8.0 supports Windows Mobile 
5/6 operating system, but does not support Symbian S60 3rd/5th, Android, iOS 
and BlackBerry operating systems. 





card encryption function is not enabled on the mobile device 


To use the encryption module (only for Windows Mobile devices): 


1. 


After installing Mobile Device Agent, register the Mobile Device Agent to the 
Mobile Security server To register the Mobile Device Agent, refer to Manual 
Registration on page 5-11. 

encryption and passwordAfter registration, you are prompted to provide an initial 
power-on passwotd to log on the device. By default, the initial password is 123456. 
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Appendix A 


Firewall Ports Configurations 


This appendix provides all the firewall ports configurations that you need while 
installing Trend Micro Mobile Security, and brings together all the firewall ports 
configurations mentioned in the document. 

This appendix contains the following sections: 

¢ Firewall Ports Configuration for Basic Security Model (Single Server Installation) on page A-2 


¢ Firewall Ports Configuration for Enhanced Security Model (Dual Server Installation) on page 
A-4 
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Firewall Ports Configuration for Basic Security 


Model (Single Server Installation) 


If you are using the basic security model, configure the following firewall ports for 
Mobile Security components: 


COMPONENT 


FIREWALL PORTS 





DETAILS 





Manage- 
ment Server 
and Commu- 
nication 
Server 


Open TCP port 2195 for Apple Push 
Notification service (APNs) server. 
The hostname of Apple Push Notifica- 
tion Service is gate- 

way .push. apple.com. 


Enables Apple’s 
APNs server to man- 
age iOS mobile 
devices. 


If you are not manag- 
ing iOS mobile 
devices, this port is 
not required. 





Open HTTP port 8080. 





Note: This is the default HTTP port 
number for the singe server 
configuration. However, you 
can change the HTTP port 
number that you want to use 
for mobile devices to 
communicate with the Mobile 
Security server during the 
installation. 





Used for communica- 
tion between mobile 
devices and the 
Mobile Security 
server. 








Open HTTPS port 4343. 





Note: This is the default HTTPS port 
number for the singe server 
configuration. However, you 
can change the HTTPS port 
number that you want to use 
for mobile devices to 
communicate with the Mobile 
Security server during the 
installation. 








Used for secure com- 
munication between 
mobile devices and 
the Mobile Security 
Server. 





COMPONENT 


FIREWALL PORTS 


Firewall Ports Configurations 


DETAILS 





Active Direc- 
tory 


Simple Cer- 
tificate 
Enrollment 
Protocol 
(SCEP) 
Server 


Open one of the following ports: 


e TCP port 389 (Domain Controller) 
for Management Server and 
Communication Server 
TCP port 3268 (Global Category) 
for Management Server and 
Communication Server 


Open HTTP port 80 for Communica- 
tion Server and iOS mobile devices. 


Used for user 
authentication using 
Active Directory. 


If you are not using 
Active Directory to 
authenticate or 
import users, this 
port is not required. 


Used for iOS mobile 
devices enrollment. 


If you are not using 
SCEP server to man- 
age iOS mobile 
devices, this port is 
not required. 





SQL Server 


Open the following ports: 


e TCP port 1433 for Mobile Security 
server. 

e UDP port 1434 for Mobile Security 
server. 





Note: This is the default TCP port to 
connect to the SQL Server. 
However, you can also use a 
different port for SQL server, if 
required. 





Establishes a con- 
nection between the 
Mobile Security 
server and the 
remote SQL server. 





BlackBerry 
Enterprise 
Server (BES) 





Open the following ports: 


e Open TCP port 3101 for BES 
Server Routing Protocol (SRP) 
Infrastructure. 

Open TCP port 443 for 
Management Server and BES 
command tool 








If you are not using 
Mobile Security to 
manage BlackBerry 
mobile devices, 
these port are not 
required. 
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Firewall Ports Configuration for Enhanced 
Security Model (Dual Server Installation) 


If you are using the enhanced security model, configure the following firewall ports for 
Mobile Security components: 


A-4 


COMPONENT 


FIREWALL PORTS 


Firewall Ports Configurations 


DETAILS 





Communica- 
tion Server 


Open the following port for Apple 
Push Notification service (APNs) 
server: 


e TCP port 2195: 
gateway.push.apple.com 


Enables Apple’s 
APNs server to man- 
age iOS mobile 
devices. 


If you are not using 
APNs server to man- 
age iOS mobile 
devices, this port is 
not required. 





Open HTTP port 80. 





Note: This is the default HTTP port 
number for the dual server 
configuration. However, you 


can change the HTTP port 
number that you want to use 
for mobile devices to 
communicate with the 
Communication Server during 
the installation. 





Used for communica- 
tion between mobile 
devices and the 
Communication 
Server. 





Open HTTPS port 443. 





Note: This is the default HTTPS port 
number for the dual server 
configuration. However, you 
can change the HTTPS port 
number that you want to use 
for mobile devices to 
communicate with the 
Communication Server during 
the installation. 














Used for secure com- 
munication between 
mobile devices and 
the Communication 
Server. 
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COMPONENT FIREWALL PORTS DETAILS 
Communica- Open the following ports: Establishes a con- 
tion Server nection between the 


e TCP port 8189: the default port for 
Simple Object Access Protocol 
(SOAP) connection to allow 
inbound connection to 
Communication Server from 
Management Server 

e TCP port 8190: the default port for 
socket connection to allow 
inbound connection to 
Communication Server from 
Management Server 


Management Server 
and the Communica- 
tion Server. 





Active Direc- 


Open one of the following ports: 


Used for user 





tory e TCP port 389 (Domain Controller) authentication asing 
Active Directory. 
for Management Server and 
Communication Server If you are not using 
* TCP port 3268 (Global Category) | Active Directory to 
for Management Server and authenticate or- 
Communication Server import users, this 
port is not required. 
Simple Cer- Open HTTP port 80 for Communica- Used for iOS mobile 
tificate tion Server and iOS mobile devices. devices enrollment. 
Enrollment If you are not using 
a. SCEP server to man- 
(SCEP) age iOS mobile 
Server 








devices, this port is 
not required. 





COMPONENT 


FIREWALL PORTS 


Firewall Ports Configurations 


DETAILS 





SQL Server 


Open the following ports: 


e TCP port 1433 for Communication 
Server and Management Server 

e UDP port 1434 for Communication 
Server and Management Server. 





Note: TCP port 1433 is the default 
port to connect to the SQL 
Server. However, you can also 


use a different TCP port for 
SQL server, if required. 





Establishes a con- 
nection between the 
Communication 
Server and the Man- 
agement Server with 
the remote SQL 
server. 





BlackBerry 
Enterprise 
Server (BES) 





Open the following ports: 


e Open TCP port 3101 for BES 
Server Routing Protocol (SRP) 
Infrastructure. 

Open TCP port 443 for 
Management Server and BES 
command tool 








If you are not using 
Mobile Security to 
manage BlackBerry 
mobile devices, 
these port are not 
required. 
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Optional Configurations 


This appendix provides optional configuration procedures that you can perform while 
installing Trend Micro Mobile Security. 

This appendix contains the following sections: 

¢ Using Windows Authentication for SOL Server on page B-2 

* Configuring Communication Server Ports on page B-3 

e — Increasing Server Scalability on page B-4 
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Using Windows Authentication for SQL Server 


Trend Micro recommends using SQL Server Authentication method for SQL Server 


instead of Windows Authentication. However, you can also configure Windows 
Authentication for SQL Server. 


To use Windows Authentication: 


1. 


Create a domain account in Active Directory server with the rights to access Mobile 
Security database. 


Add the Management Server and the Communication Server to the domain you 


created in step 1. 


On the Management Server, open Windows Services, and double-click OfficeScan 


Plug-in Manager. 


On the Log On tab, select This account: and type the account name that will 


access the database, and its password in Password and Confirm password fields, 
and then click OK. 

Right-click on the OfficeScan Plug-in Manager in the services list, and then click 
Restart. 


On the Management Server, repeat steps 3 to 5 for the following services: 


Mobile Security Management Module Service 
Mobile Security Monitor Service 


Mobile Security Management Module BlackBerry Service 


On the Communication Server, repeat steps 3 to 5 for the following service: 


Mobile Security Management Module IOS Service 








Mobile Security Communication Module (MSCM) server 


Configure database settings on OfficeScan Web Console: 


a. 
b. 


C. 


Log on to the OfficeScan Web console. 
Click Plug-in Manager in the main menu. 
Click Administration > Database Settings. 


Type the database server IP address and the database name, and leave the User 
name and Password fields blank. 


Click Save. 


Optional Configurations 


Configuring Communication Server Ports 


Trend Micro Mobile Security 8.0 enables to you to customize the Communication 


Server ports that it uses to establish the connection with the Management Server. 


To configure Communication Server ports: 


1. Configure socket and SOAP ports on the Management Server: 


a. 


On the Management Server, open TMOMSM. ini in a text editor (located in 
C:\Program Files\Trend 
Micro\OfficeScan\Addon\Mobile Security\ 

or 

C:\Program Files (x86) \Trend 
Micro\OfficeScan\Addon\Mobile Security\. 
Modify the values of omsm_Svr_port for SOAP port:, and 
PolicyServerIPCPOrt for the socket port. 


Save and then close TmOMSM. ini file. 


Open Windows services, and right-click OfficeScan Master Service, and then 
click Restart. 


2. Configure socket and SOAP ports on the Communication Server: 


a. 


On the Communication Server, open omsm_srv.ini ina text editor (located 
inC:\Program Files\Trend Micro\Mobile 
Security\PolicyServer\). 


Modify the values of omsm_SOap_port for SOAP port, and 
[sockIPC] port for the socket port. 


Open Windows services, and restart the following services: 


e Mobile Security Communication Module (MSCM) Server 
* Mobile Security Management Module IPC proxy service 
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Increasing Server Scalability 


Depending on your requirements, you can increase the server scalability and improve 
server performance. 


To increase server scalability and improve server performance: 


1. 


Open the Internet Information Services (IIS) Manager, and select the server on 
which you want to perform this procedure. 


Click Application Pools in the left pane, select the AppPool where Mobile Security 
is installed from the list in the center pane, and then click Advanced Settings... in 
the right pane. The Advanced Settings dialog box appears. 


On the Advanced Settings dialog box, make the following changes: 
* Change the value of the parameter Queue Length to 65535. 


* Change the value of the parameter Maximum Worker Processes to 5 or 
more. 


After making the changes, Click OK, and close the Internet Information Services 
(IIS) Manager. 


Open Windows Command prompt, and then do the following: 


* type the following command to change the value of IIS concurrent request 
limit to 100000: 


c:\windows\system32\inetsrv\appcmd.exe set config /section:serverRuntime 
/appConcurrentRequestLimit:100000 





Note: To verify this change, open file applicationHost. config by typing 
command file 
%systemroot%\System32\inetsrv\config\applicationHost.config in the 
Command prompt, and then verify the value of parameter 
serverRuntime appConcurrentRequestLimit, which should be 
100000. 





* type the following command to change IIS concurrent request limit to 100000 
in the Windows registry: 


reg add HKLM\System\CurrentControlSet\Services\HTTP\Parameters /v 
MaxConnections /t REG_DWORD /d 100000 


Appendix C 


Generating and Configuring APNs 
Certificate 


Trend Micro Mobile Security requires the Apple Push Notification service (APNs) 
certificate to manage iOS mobile devices. This appendix introduces the detailed 
procedure of generating the APNs certificate and then uploading it to the Mobile 
Security server. 

This appendix contains the following sections: 

* Understanding APNs Certificate on page C-2 

* Generating an APNs Certificate on page C-3 

e Uploading APNs Certificate to Mobile Security Server on page C-16 


* Generating and Configuring APNs Certificate in Windows 2003 Server Using IIS 6.0 on page 
C-17 
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Understanding APNs Certificate 


The Apple Push Notification service (APNs) enables Trend Micro Mobile Security for 
Enterprise server to securely communicate to your devices over-the-air (OTA). Each 
organization needs its own APNs certificate to ensure a secure mechanism for their 
devices to communicate across Apple's push notification network. 


Trend Micro Mobile Security for Enterprise uses your APNs certificate to send 
notifications to your devices when the Administrator requests information or manage 
your iOS devices. Only the notification is sent through the APNs server. 


Device responds directly to Trend Micro 
Mobile Security for Enterprise MDM server 
i ` Firewall 


Notification Notification 


< e 
Apple Push Trend Micro Mobile 


Notification service Security for Enterprise 


Device responds directly to Trend Micro 
Mobile Security for Enterprise MDM server 





FIGURE C-1. Notification process 
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Generating an APNs Certificate 


This section explains the process of generating Apple Push Notification Service 
certificate for iOS mobile devices management. 
The following are the basic steps for Generating APNs certificate: 
1. Generate a Certificate Signing Request (CSR). 
2. Do one of the following: 
e Use the certificate signed by Trend Micro 


i. Send the generated CSR to Trend Micro. Trend Micro will sign and return 
you the CSR. 


ii. Upload the CSR to Apple Push Certificates Portal. 
e Use the certificate signed by Apple 


e Upload the CSR to your Apple Development portal. (Apple will sign your 
certificate.) 


3. Download the signed certificate from the Apple portal and complete the initial CSR 
request. 





Note: Make sure that you have the following before you begin: 


e Apple Enterprise Developer account 
(developer.apple.com/programs/ios/enterprise) 


e Your developer account role must be Agent (Admin role will not work) 
e — Mac OS X workstation or Windows Server with Administrator permissions 


° Safari or Firefox Web browser 





Trend Micro Mobile Security for Enterprise v8.0 Installation and Deployment Guide 


Generating an APNs Certificate from a Mac Workstation 


The following procedure will guide you to generate an APNs certificate using a Mac OS 
X workstation. For Windows Server you may skip this section, and proceed to Generating 
an APNs Certificate from a Windows Server on page C-8. 


Step 1. Generate a Certificate Signing Request (CSR) 


1. 
2. 


On you Mac computer, go to Applications > Utilities > Keychain Access. 

On the left pane, select login in the Keychain section, and then select Certificates 
in the Category section. 

From the top menu bar, select Keychain Access > Certificate Assistant > 
Request a Certificate From a Certificate Authority. The Certificate Assistant 
wizard displays. 

Type the email address and registered Apple Developer account name in User 
Email Address and Common Name fields, select Saved to disk, and then click 
Continue. 

Select the location where you want to save the file, and then click Save. You have 
now created a CSR and are ready to upload it to your Apple development portal. 


Step 2. Uploading CSR to Apple portal and generating the APNs 


certificate 


After you have generated the CSR, you can now do one of the following: 


Send the CSR you have just generated to Trend Micro to sign it for you, and then 
use it to generate APNs certificate 

Upload the CSR to Apple development portal to get it signed by Apple and generate 
APNs certificate 


To use the certificate signed by Trend Micro 


1. 


Send the CSR you have just generated to your Trend Micro representative. Trend 
Micro will sign it and return it to you. 


After you have received the signed CSR back from Trend Micro, upload the CSR to 
Apple Push Certificates Portal: 


a. On the Web browser and navigate to the following URL: 
https://identity.apple.com/pushcert/. 





b. Sign in with your Apple ID and password. The Get Started page displays. 


Generating and Configuring APNs Certificate 


ick Create a Certificate button. The Terms of Use screen appears. 

lick Accept to agree with the terms. Create a New Push Certificate screen 

displays. 

e. Click Browse, select the file already signed by Trend Micro, and then click 
Upload. Wait until the portal generates the APNs certificate (. pem) file. 








f. Click Download to save the . pem file to your computer, and then proceed to 
Step 3. Install your APNs certificate on page C-7 for Mac or Step 3. Install your 
APNSs certificate on page C-11 for Windows. 


To use the certificate signed by Apple 





Note: Ignore this procedure if you are using the APNs certificate signed by Trend Micro. 





1. On the Web browser, navigate to the following URL: 
https://developer.apple.com/. 
Click the Member Center link. 
Sign in with your Apple ID and password. 





Click iOS Provisioning Portal. 





Note: If you do not see the iOS Provisioning Portal, your development account has not 
been setup for iOS development. 





On the left pane, click App IDs, and then click New App ID. 


Fill in the applicable fields. The Bundle Identifier (App ID Suffix) notation field 
must be "com. apple .mgmt .mycompany.tmms" 





Note: Replace mycompany with your company name. 








Note: Note down The Bundle Identifier (App ID Suffix) notation value. You will need 
this value while configuring Mobile Security server. 





7. Click Submit. The App ID that you have just added, appears in the list. 
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10. 


11. 


12. 


13. 


14. 


Click Configure. 





Tip: If you do not see or cannot click Configure, verify that you are signed in with 
the Agent role. 





Select Enable for Apple Push Notification service, and then click Configure for 
Production Push SSL Certificate. 





Tip: If you are unable to select Enable for Apple Push Notification service, try 
using Safari or Firefox Web browser, and verify that you are singed in with the 
Agent role. 





SSL Certificate Assistant wizard will appear, instructing you to create a Certificate 
Signing Request (that you have already created in Sp 1. Generate a Certificate Signing 
Request (CSR)). Click Continue. 

Click Choose File and upload the Certificate Signing Request file that you created 
in Step 1. Generate a Certificate Signing Request (CSR). (For example, 
CertificateSigningRequest.certSigningRequest2). 


Click Generate. 
When completed, the screen will appear confirming that your APNs SSL certificate 
has been generated. 


Click Continue. The Download & Install Your Apple Push Notification server 
SSL Certificate screen displays. 

Click Download to save the . cer file to your computer, and then proceed to Step 
3. Install your APNSs certificate on page C-7 for Mac or Step 3. Install your APNs certificate 
on page C-11 for Windows. 


Note: To install the APNs certificate on Windows computer, you must manually change 
the file extension from .pem to .cer. 





Generating and Configuring APNs Certificate 


Step 3. Install your APNs certificate 


1. 


Go to the location where you downloaded the file, and then double-click the file to 
automatically uploaded it to Keychain Access and complete the signing request. 


Go to Applications > Utilities > Keychain Access. 


On the left pane, select login in the Keychain section, and then select Certificates 
in the Category section. 


Verify that your Apple Production Push Services certificate appears on the list, and 
it has an associate private key beneath it when you expand it. If you can see the 
certificate, follow the next steps to export the certificate and upload it to the Trend 
Micro Mobile Security server. 





Tip: If you do not see your APNs certificate or the private key is not showing, verify 
you have the login keychain selected, the Certificates category selected and your 
certificate key has been expanded. If you still do not see your certificate, repeat 
all of the steps above. 





Right-click (or control+click) on the private key and click Export. 


Choose the file name and location where you want to save the file, and then select 
Personal Information Exchange (.p12) file format. 





Tip: If you only have the option to save as a . cer file rather than a .p12, then you 
are not correctly exporting the certificate. Make sure you selected the private 
key to export in the last step, and your file format is Personal Information 
Exchange (.p12). 





Click Save. 


Choose a password for exporting, and then click OK. 





Tip: Make sure to remember the password, or keep it in the secure place. The 
password will be required when uploading the certificate to Trend Micro Mobile 
Security for Enterprise MDM server. 
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After completing all these steps, you should have the following items: 
e APNs certificate (.p12 format, not .cer format) 


The password that you set when exporting the certificate 


You ate now ready to upload your certificate to Trend Micro Mobile Security server. 


Generating an APNs Certificate from a Windows Server 


The following steps will guide you to generate an APNs certificate from a Windows 
Server. If you have already generated your certificate from a Mac OS X workstation, you 


can skip this section and upload your certificate to Trend Micro Mobile Security for 
Enterprise MDM server. 


Step 1. Generate a Certificate Signing Request (CSR) 


1. Go to Start > Administrative Tools > Internet Information Services (IIS) 
Manager, and select the server name. 


2. Double-click Server Certificates icon. 





FIGURE C-2. Accessing Server Certificates 


Generating and Configuring APNs Certificate 





Note: The IIS version 7.0 is used to configure APNs certificate in this document. 





3. From the Actions pane on the right, click Create Certificate Request. The 
Request Certificate wizard appears. 


























Gy Server Certificates 

Use this Feature to request and manage certificates that the Web server can use 

with Web stes configured for SSL. Complete Certificate Request 

Name + O isede || create Domain Certs. 
WMSvc-TMMS-VMS2008 WMSvc-1 Oooo a 
Pirgit Pigi Create Self-Signed Certificate... 
‘TMMS-¥MS2008 TMMS-Vh @ rep 

Online Help 
iy ——____ | 
= Features View |.. Content View 


























FIGURE C-3. Starting Request Certificate wizard 


4. Inthe Distinguished Name Properties window, type the following: 
* Common name—the name associated with your Apple Developer account 
e Organization—the legally registered name of your organization/company 
e Organizational unit—the name of your department within the organization 
e City/locality—the city in which your organization is located 
*  State/province—the state or province in which your organization is located 


e  Country/region—the country or region in which your organization is located 
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7. 








aixi 
: |l Distinguished Name Properties 
Lgr 

Specify the required information for the certificate, State/provice and City/locality must be specified as 

official names and they cannot contain abbreviations. 

‘Common name: |mobile. trendmicro.com 

Organization: [Frenaivicro 

Organizational unit: fos 

Gity/locality [NanJing 

State/province: Jiangsu 

Country/region: jon £ 





FIGURE C-4. Distinguished Name Properties screen 


Click Next. Cryptographic Service Provider Properties window appears. 


Select Microsoft RSA SChannel Cryptographic Provider in the Cryptographic 
service provider field and 2048 in the Bit length field, and then click Next. 


Request Certificate [71x] 


Cryptographic Service Provider Properties 


“gi! 





Select a cryptographic service provider and a bit length. The bit length of the encryption key 
determines the certificate's encryption strength. The greater the bit length, the stronger the security. 
However, a greater bit length may decrease performance. 


Cryptographic service provider: 





[Microsoft RSA SChannel Cryptographic Provider z 
Bit length: 
E - 
— aa j e 








FIGURE C-5. Cryptographic Service Provider Properties screen 


Select a location where you want to save the certificate request file. Make sure to 
remember the filename and the location where you save the file. 
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Request Certificate HEI 


il File Name 
EN 





Specify the file name for the certificate request, This information can be sent to a certification 
authority for signing. 


Specify a file name for the certificate request: 


IC:\CertificateRequest|txt ca 











FIGURE C-6. File Name screen 


8. Click Finish. You have now created a CSR and are ready to upload it to your Apple 
development portal. 


Step 2. Upload CSR to Apple portal and generating the APNs certificate 


Refer to Szep 2. Uploading CSR to Apple portal and generating the APNs certificate on page C-4 
for Mac OS X for the procedure. 


Step 3. Install your APNs certificate 


1. Go to Start > Administrative Tools > Internet Information Services (IIS) 
Manager, select the server name, and then double-click Server Certificates 


2. From the Actions pane on the right, click Complete Certificate Request. The 
Complete Certificate Request wizard appears. 
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iY Internet Information Services (IIS) Manager 
































GO [Sem = \ia = 2 10- 
File View Help 
cm TEA | ey Server Certificates — 
5 Start Page — an 
m iS Stes Nare < | issued To Create Domain Certificate... 
WTS vS2008 Danan Corti 
Pingl Create Self-Signed Certificate... 
TMMS-VMS2008 e Help 
‘Online Help 
SE » 
Features View |i Content View 
Ready & 
FIGURE C-7. Complete Certificate Request 
Note: 


following error message: 


If you are using IIS 7.5, clicking Complete Certificate Request may display the 


A certificate chain could not be built to a trusted root authority. 


If this happens, refer to Configure IIS 7.5 for APNs Certificate Installation on page 


C-15 for the procedure to resolve this issue. 





3. Select the .cer certificate file that you downloaded from the Apple Developer 


Portal, and type Trend Micro Mobile Security for Enterprise MDM APNs in 
the Friendly name field. 





Note: 


If you generated the certificate file from the Mac Workstation, you must 


manually change the . pem file extension to . cer. 
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Complete Certificate Request [27x] 


| Specify Certificate Authority Response 





Complete a previously created certificate request by retrieving the file that contains the certificate 
authority's response. 


File name containing the certification authority's response: 


[c:taps_production_identity-1.cer m 





Friendly name: 


(com. apple.mdmiis.tmms| 


an 








FIGURE C-8. Specify Certificate Authority Response screen 





Tip: The friendly name is not a part of the certificate itself, but is used by the server 
administrator to easily distinguish the certificate. 





Select OK. The certificate will be installed on the server. 


Verify that your Apple Production Push Services certificate appears on the Server 
Certificates list. If you can see the certificate, follow the next steps to export the 
certificate and upload it to the Trend Micro Mobile Security for Enterprise MDM 
server. 


Right-click on the certificate in the Server Certificates list, and then click Export. 


C-13 


Trend Micro Mobile Security for Enterprise v8.0 Installation and Deployment Guide 


ion Services (IIS) Manager 





















































ep) | $3 > pmc: » CERC 
Ele View Help 
GH Server Certificates Atonso 
e- HIZ 18 ? mest 
t Pe 
Be paa nee | Use this Feature to request and manage certificates that the Web server can use with Web sites configured Create Certificate Request... 
#1 toplcaton Poot ma Complete Certificate Request... 
SH Stes = ! 1 litsey Create Domain Certificate... 
WMSvc-TMMS-VMS2008 WMSvc-TMM5-VM52008 ——l 
Pingt Pingt Create Self-Signed Certificate... 
Import... Export... 
Sa FT —| Renew... 
Create Certificate Request... X Remove 
Complete Certificate Request... om 
‘Online Help 
I + 
B »| a eames 
Ready Gi: 





FIGURE C-9. Exporting the certificate 


7. Select the location where you want to save the file, choose a password for 
exporting, and then click OK. 


Export Certificate [ 27] x] 
Export to: 
{C:\com. apple. mdmis.tmms.pFx aie | 
Password: 


[eesse  —s— 


Confirm password: 


Ca J o | 





FIGURE C-10. Specifying password for the certificate 
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Tip: If you only have the option to save as a . cer file rather than a . pfx, then you 
are not correctly exporting the certificate. Make sure you selected the correct 
file to export. 








Note: Make sure to remember the password, or keep it in the secure place. The 
password will be required when uploading the certificate to Trend Micro Mobile 
Security for Enterprise MDM server. 





After completing all these steps, you should have the following items: 
e  APNSs certificate (. pfx format, not .cer format) 


¢ The password that you set when exporting the certificate 


You ate now ready to upload your certificate to Trend Micro Mobile Security server. 


Configure IIS 7.5 for APNs Certificate Installation 


If you are using IIS 7.5, uploading the certificate to IIS may fail with the following 
message: 


A certificate chain could not be built to a trusted root authority. 

This can happen due to the following reasons: 

* The APNs certificate is signed by the Apple Root CA instead of a public CA. 
¢ The enhanced check for the trusted root CA by HS 7.5. 

To configure IIS 7.5 for APNs certificate installation: 


1. Download the Apple Root certificate and Application Integration certificate 
from the following URL: 


http://www.apple.com/certificateauthority 





2. Double-click Apple Root certificate, and then on the Certificate window, click 
Install Certificate. 


On the welcome screen, click Next. 
Select Place all certificates in the following store and then click Browse. 


On the Select Certificate Store window, select Show physical stores, then select 
Trusted Root Certification Authorities > Local Computer and then click OK. 
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Click Next on the Certificate Import Wizard screen, then click Finish. 


Repeat step 2 to 5 for Application Integration certificate. However, in step 4, 
select Intermediate Certification Authorities > Local Computer instead of 
Trusted Root Certification Authorities > Local Computer. 


Uploading APNs Certificate to Mobile Security 
Server 


This section explains the process of uploading Apple Push Notification service (APNs) 
certificate to Trend Micro Mobile Security for Enterprise server to start managing iOS 
devices. 





Note: Make sure that you have the following before you begin: 


e  APNs certificate file (the . pfx or .p12 format, not the .cer format) 
¢ The password that you had set when exporting the certificate 


e The administrator account of Trend Micro Mobile Security for Enterprise MDM 
server 





To upload APNs certificate to Mobile Security: 


1. Open Internet Explorer, and log on to the OfficeScan Web console. 
2. Click Plug-in Manager in the main menu. 
3. Do one of the following: 


e Click Administration > Certificate Management, click Add, select the 
Apple Push Notification Server certificate from the hard disk, and then click 
Save. 


Add certificate x 


Certificate: “Browse... ) 
[Save ) { Cancel 


FIGURE C-11. Add certificate through Certificate Management 
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e Click Administration > Communication Server Settings, click iOS 
Settings tab, and then select the Apple Push Notification Server certificate 
from the hard disk in the Certificate field, and then click Save. 


Policy Server Settings @ Help 





Common Settings Android Settings iOS Settings BlackBerry Settings 


















Apple Push Notifieatfon service (APNs) Settings 






Certificate type: Li) @ Production ©) Development 










Certificate: G) Apple Production 10S Push Services: Q64GK8FQYI[w 











com, apple.mgmt.trendmicro.mdmtest.july 





Simple Certificate Enrol 


[E Enable cep 
SCEP user URL: G) 
SCEP admin URL: G) 
User account: G) 
User password: 
Certificate name: (i) 


Subject: G) 


Client Profile Signing Credential 


Client Profile Signing Credential: (4) [Please select a credential or upload anew one | 














Save] (Cancel) 
FIGURE C-12. Add certificate through Communication Server settings 


After completing these steps, you can now manage your iOS mobile devices. 


Generating and Configuring APNs Certificate in 
Windows 2003 Server Using IIS 6.0 


Refer to the following URL for the detailed steps on generating and configuring APNs 
certificate in Windows 2003 Server using Internet Information Services (IIS) 6.0: 


http://esupport.trendmicro.com/solution/en-us/1060668.aspx 
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Appendix D 


Generating and Configuring SSL 
Certificate 


Trend Micro Mobile Security requires a private Secure Socket Layer (SSL) server 
certificate issued from a recognized Public Certificate Authority for the secure 
communication between mobile devices and Communication Server using Secure 
Hypertext Transfer Protocol (HTTPS). This appendix introduces the detailed 
procedures of generating a private SSL certificate and obtaining a public SSL certificate 
from a recognized Public Certificate Authority, and then deploying the to Internet 
Information Services (IIS) Manager on the Communication Server. 


This appendix contains the following sections: 
* — Generating and Installing a Private SSL Certificate on Communication Server on page D-2 
* Obtaining and Installing a Public SSL Certificate on Communication Server on page D-13 


* Generating and Configuring SSL. Certificate in Windows 2003 Server Using IIS 6.0 on page 
D-14 


D-1 


Trend Micro Mobile Security for Enterprise v8.0 Installation and Deployment Guide 


Generating and Installing a Private SSL 
Certificate on Communication Server 
This section explains the process of generating a private SSL certificate for HTTPS for 
iOS mobile devices. 
The following are the basic steps for generating and installing a private SSL certificate: 
1. Install a standalone Certification Authority (CA) on the Communication Server. 
Generate a Certificate Signing Request (CSR) for the SSL certificate. 
Sign and export the SSL certificate. 
Complete the initial CSR request. 


SY ann pariah 


Install SSL certificate on iOS mobile devices. 


Step 1. Install a standalone Certification Authority (CA) on the 
Communication Server 


1. Go to Start > Administrative Tools > Server Manager 


2. On the Server Manager tree in the left pane, click Roles, and then in the Roles 
Summary section, click Add Roles. The Add Roles Wizard displays. 


Generating and Configuring SSL Certificate 


Add Roles Wizard ES x! 





This wizard helps you install roles on this server. You determine which roles to install based on the tasks you 
want this server to perform, such as sharing documents or hosting a Web site. 


Before you continue, verify that: 

e The Administrator account has a strong password 

e Network settings, such as static IP addresses, are configured 
e The latest security updates from Windows Update are installed 


If you have to complete any of the preceding steps, cancel the wizard, complete the steps, and then run the 
wizard again. 


To continue, dick Next. 





Ha a [T Skip this page by default 
Results 





FIGURE D-13. Add Roles Wizard window 


On the Before You Begin screen, click Next. 


From the Roles list, select Active Directory Certificate Services, and click Next. 


On the Introduction to Active Directory Certificate Services screen, click 
Next. 


In the Role services list, select Certification Authority, and click Next. 
On the Specify Setup Type screen, select Standalone and click Next. 
On the Specify CA Type screen, select Root CA and click Next. 


a 


On the Set Up Private Key, select Create a new private key and click Next. 
10. On the Configure Cryptography for CA screen, configure the fields as follows: 


e Select a cryptographic service provider (CSP): RSA#Microsoft 
Software Key Storage Provider 


* Key character length: 2048 
e Select the hash algorithm for signing certificates issued by this CA: shal 
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11. 
12. 
13. 
14. 


15. 
16. 


Add Roles Wizard 





xi 
is. Configure Cryptography for CA 








Before You Begin ‘To create anew private key, you must first select a cryptographic service provider, hash algorithm, and 
key lenath that are appropriate forthe intended use of the certificates that you issue, Selecting a higher 
Server Roles value for key length will result in stronger security, but increase the time needed to complete signing 
ADCS operations. 
Role Services 
EAn Select a cryptographic service provider (CSP): Key character length: 
[RsA=Microsoft Software Key Storage Provider Jæ | 
CAType 
Private Key ‘Select the hash algorithm for signing certificates issued by this CA: 
shal a 
md2 
md4 z 
fÉ » 
Confirmation T” Use strong private key protection features provided by the CSP (this may require administrator interaction 


‘every time the private key is accessed by the CA) 


More abo: stographic options fora 


aco a |e 








FIGURE D-14. Configure Cryptography for CA screen 


Click Next. 
On the Configure CA Name screen, keep the default settings and click Next. 
On the Set Validity Period screen, keep the default settings and click Next. 


On the Configure Certificate Database screen, keep the default settings and click 
Next. 


On the Confirm Installation Selections screen, click Install. 


After the installation completes, click Close. 


Generating and Configuring SSL Certificate 


Step 2. Generate a Certificate Signing Request (CSR) 


1. Go to Start > Administrative Tools > Internet Information Services (IIS) 
Manager, and select the server name. 


2. Double-click the Server Certificates icon. 


Foren 





ad lec 





FIGURE D-15. Accessing Server Certificates 





Note: The IIS version 7.0 is used to configure SSL certificate in this document. 





3. From the Actions pane on the right, click Create Certificate Request. The 
Request Certificate wizard appears. 
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eJ Server Certificates 




















Use this feature to request and manage certificates that the Web server can use a 

with Web sites configured for SSL. Complete Certificate Request. 

Name + | tssued to [eae || create Doman Certficate... 
WMSvc-TMMS-VMS2008 WMSvc-1 Oooo naa 
Pingt Ping! Create Sel-Signed Certificate... 
TWMS-VMS2008 TMMS-Vh e Help 

Online Help 
ppa 4 
Features View |i Content View 
































FIGURE D-16. Starting Request Certificate wizard 


In the Distinguished Name Properties window, type the following: 


* Common name—the IP address or the registered host name of the 
Communication Server. For example: mobile.trendmicro.com. 


e Organization—the legally registered name of your organization/company 

* Organizational unit—the name of your department within the organization 
e  City/locality—the city in which your organization is located 

* State/province—the state or province in which your organization is located 


*  Country/region—the country or region in which your organization is located 


7. 


Request Certificate 


al! 


Distinguished Name Properties 
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21x) 





‘Specify the required information for the certificate. State/provice and 
official names and they cannot contain abbreviations. 


City/locality must be specified as 











‘Common name: mobile. trendmicro.com 
Organization: [TrendMicro 

Organizational unit: [ems 

City locality fein ooo 

State/province: fians o 

Country/region: Icn + 





FIGURE D-17. Distinguished Name Properties screen 


Click Next. Cryptographic Service Provider Properties window appears. 


Select Microsoft RSA SChannel Cryptographic Provider in the Cryptographic 
service provider field and 2048 in the Bit length field, and then click Next. 


Request Certificate 


a! 


Cryptographic Service Provider Properties 





Select a cryptographic service provider and a bit length, The bit length of the encryption key 
determines the certificate's encryption strength. The greater the bit length, the stronger the security. 


However, a greater bit length may decrease performance. 


Cryptographic service provider: 





[Microsoft RSA SChannel Cryptographic Provider 


Bit length: 





E| 





Erish | Cancel_| 








FIGURE D-18. Cryptographic Service Provider Properties screen 


Select a location where you want to save the certificate request file. Make sure to 
remember the filename and the location where you save the file. 
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Request Certificate HE 
| | File Name 
Specify the file name For the certificate request, This information can be sent to a certification 
authority for signing, 
Specify a file name for the certificate request: 
IC:\CertificateRequestltxt bes 
en sa 








FIGURE D-19. File Name screen 


8. Click Finish. You have now created a CSR and are ready to sign the SSL certificate. 


Step 3. Sign and export the SSL Certificate 


1. Go to Start > Administrative Tools > Server Manager, and right-click Roles > 
Active Directory Certificate Services > [computer name], and click Submit new 


request. 
2. Select the CSR file you created in Szep 2. Generate a Certificate Signing Request (CSR) 
and then click Open. 


3. Click Roles > Active Directory Certificate Services > [computer name] > 
Pending Requests, and then right-click the request, and select All Tasks > Issue. 


D-8 


5. 
6. 


Generating and Configuring SSL Certificate 





E Server Manager 























































Eile Action view Help 4 
@ © | F)m/ akl a 
Ta Server Manager (WIN-6FECTSE4FL Pending Requests 


=] F Roles 
E GF Active Directory Certificate 
Jy Enterprise PKI 
2] Certificate Templates 
E e| WIN-6FECTSE4FLL-CA 
E Revoked Certificate 
E Issued Certificates 
1 Pending Requests 
[F Failed Requests 
JÈ File Services 
= Web Server (IIS) 
il Features 
zB Diagnostics 
at Configuration 
E Storage 










View Attributes/Extensions.,. 
Export Binary Data... 


Help Een e- 































NER INL Nf Nannaa NS 


FIGURE D-20. Pending requests in Server Manager 


Select Roles > Active Directory Certificate Services > [computer name] > 
Issued Certificates, and double-click the issued certificate. The Certificate 
window displays. 
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FIGURE D-21. Issued certificates in Server Manager 


On the welcome screen, click Next. 









On the Details tab, click Copy to File. The Certificate Export Wizard displays. 
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11. 


12. 


On the Export File Format screen, keep the default settings and click Next. 


On the File to Export screen, click Browse and select the file name and location 
on your hard drive where you want to save the file. 


Click Save, and then click Next on the File to Export screen. 

Click Finish to export the SSL certificate. A pop up message displays notifying that 
the export was successful. 

On the Certificate window, click Certification Path tab, select the root certificate, 
and then click View Certificate. The root Certificate window pops up. 

Repeat Szep 5 to Step 10 of this procedure for the root certificate and click OK on 
the Certificate window. 


Step 4. Install the SSL certificate on the Communication Server 


1. 


Go to Start > Administrative Tools > Internet Information Services (IIS) 
Manager, select the server name, and then double-click Server Certificates. 
From the Actions pane on the right, click Complete Certificate Request. The 
Complete Certificate Request wizard appears. 
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FIGURE D-22. Complete Certificate Request 





Note: Ifyou are using IIS 7.5, clicking Complete Certificate Request may display the 
following error message: 


A certificate chain could not be built to a trusted root authority. 


If this happens, refer to Configure IIS 7.5 for APNs Certificate Installation starting 
on page C-15 for the procedure to resolve this issue. 





Select the SSL certificate (. cer) file that you have created in Szep 3. Sign and export 
the SSL Certificate ot purchased in Step 2. Purchase a public SSL certificate on page D-13, 
and type the server IP or host name in the Friendly name field. The server IP or 


host name should be the same as the Common name you provided while creating 
the CSR. Click OK. 


From the Connections pane, select [server name] > Sites > OfficeScan. 
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Note: If OfficeScan does not appear in the Connections pane, select [server name] > 
Sites > Default Web Site. 





From the Actions pane on the right, click Bindings. The Site Bindings pop-up 
window displays. 
Select https and click Edit. The Edit Site Binding pop-up window displays. 


From the SSL certificate drop-down menu, select the SSL certificate you created 
in Step 3 of this procedure and click OK. 


Click Close on the Site Bindings pop-up window. 
Restart HS. 


Step 5. Install SSL certificate on iOS mobile devices 


Install the root certificate on your computer by performing the following steps: 


a. Double-click the root certificate, and then on the Certificate window, click 
Install Certificate. 


b. On the welcome screen, click Next. 
c. Keep the default setting, and click Next. 


d. Click Finish to start the installation. A pop up message displays notifying that 
the certificate import was successful. 


Download and install the iPhone Configuration Utility from the following URL: 
http://support.apple.com/downloads 


Create a profile for iOS mobile devices: 


a. Start the iPhone Configuration Utility and click Configuration Profiles 
from the Library list on the left. 


b. Click New to add a new profile in the profiles list. 


c. Select the new profile that you have created, then select Credentials from the 
center pane, and then click Configure on the Configure Credentials on the 
right pane. The Personal Certificate Store displays. 


d. Select the root certificate from the list and then click OK. 


e. Click General on the center pane and then on the Identity area, type the 
relevant information in all the text fields provided. 
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4. Install the profile on the iOS mobile device: 


a. Connect the iOS mobile device to the computer where you have installed the 
root certificate. 


b. Select the iOS mobile device from the Devices list on the left. 


c. On the Configuration Profiles tab, select the profile you just created, and 
then click Install. The iPhone Configuration Utility pushes the profile to 
the mobile device. 


d. On the mobile device, tap Install on the Install Profile screen and then tap 
Install Now on the Root Certificates pop message. The profile installation 
starts. 


e. After the profile is installed, tap Done on the Profile Installed screen. 


Obtaining and Installing a Public SSL 
Certificate on Communication Server 


This section provides the procedure of obtaining and installing a public SSL certificate 
for HTTPS for iOS mobile devices. 


The following are the basic steps for obtaining and installing a public SSL certificate: 
1. Generate a Certificate Signing Request (CSR). 
2. Purchase a public SSL certificate from an SSL certificate provider. 


3. Install the purchased certificate in IIS manager on the Communication Server. 


Step 1. Generate a Certificate Signing Request (CSR) 


Refer to Step 2. Generate a Certificate Signing Request (CSR) on page D-5 for the procedure 
of generating a public SSL certificate. After completing this procedure you will be ready 
to purchase a public SSL certificate. 


Step 2. Purchase a public SSL certificate 


Purchase a public SSL certificate from an SSL certificate provider using your CSR file 
you generated in S#p 7, and save it as a . cer file. 
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Step 3. Install the purchased certificate in IIS manager on the 
Communication Server 


Refer to Szep 4. Install the SSL certificate on the Communication Server on page D-10 to import 
the purchased certificate in IIS manager. 


Step 4. Upload SSL certificate to sign iOS client profile (optional) 


If you use SSL certificate to sign the iOS client profile, the profile will display the sign 
status as Verified. This will not effect any of the other operations, settings or 
configurations. 


To upload SSL certificate to sign iOS client profile: 

1. Log on to the OfficeScan Web console and click Plug-in Manager. 
2. Click Manage Program. 

3. Click Administration > Communication Server Settings. 

4. On the iOS Settings tab, do the following: 


a. Inthe Client Profile Signing Credential section, select Upload a new 
credential from the dropdown list. The Add certificate pop-up window 
appears. 


b. Click Browse, select the SSL certificate, and then click Save to upload the 
certificate and close the window. 


5. Click Save on the Communication Server Settings screen. 


Generating and Configuring SSL Certificate in 
Windows 2003 Server Using IIS 6.0 


Refer to the following URL for the detailed steps on generating and configuring SSL 
certificate in Windows 2003 Server using Internet Information Services (IIS) 6.0: 


http://esupport.trendmicro.com/solution/en-us/1060664.aspx 





